Edit tour

Windows Analysis Report
YjYoFznWQI.rtf

Overview

General Information

Sample name:	YjYoFznWQI.rtf renamed because original name is a hash value
Original sample name:	d559f074ac2f858891395b2d39d93e8e.rtf
Analysis ID:	1485301
MD5:	d559f074ac2f858891395b2d39d93e8e
SHA1:	04297240c45fce910112cadbdce42538a1b58889
SHA256:	731274dfb1a00b9694101c7488bdfa2c9bba0588f75b09a8ade4e6c6f86fbcdd
Tags:	rtf
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1764 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2432 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

winiti.exe (PID: 2840 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 002C833FF6ECAAC50C4EF23B36189BBC)

winiti.exe (PID: 1580 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 002C833FF6ECAAC50C4EF23B36189BBC)

winiti.exe (PID: 2592 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 002C833FF6ECAAC50C4EF23B36189BBC)

winiti.exe (PID: 2464 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 002C833FF6ECAAC50C4EF23B36189BBC)

winiti.exe (PID: 1812 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 002C833FF6ECAAC50C4EF23B36189BBC)

EQNEDT32.EXE (PID: 2708 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
YjYoFznWQI.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x666:$obj1: \objhtml 0x6a1:$obj2: \objdata 0x68b:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.411080065.0000000000080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.411080065.0000000000080000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b380:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13faf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.372607440.0000000000460000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.411140911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.411140911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e813:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17442:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.372745641.0000000002171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.winiti.exe.460000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.winiti.exe.460000.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.winiti.exe.21938ac.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.winiti.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.winiti.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16642:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
9.2.winiti.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.winiti.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e813:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17442:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
5.2.winiti.exe.21938ac.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 104.219.239.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2432, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2432, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2432, Protocol: tcp, SourceIp: 104.219.239.104, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2432, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 2840, ProcessName: winiti.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2432, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 2840, ProcessName: winiti.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2432, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 - Source IP: 104.219.239.104 - Destination IP: 192.168.2.22

Timestamp:	2024-07-31T13:22:05.091868+0200
SID:	2022051
Source Port:	80
Destination Port:	49163
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 - Source IP: 104.219.239.104 - Destination IP: 192.168.2.22

Timestamp:	2024-07-31T13:22:04.936766+0200
SID:	2022050
Source Port:	80
Destination Port:	49163
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YjYoFznWQI.rtf

Avira: detected

Antivirus detection for URL or domain

Source: http://104.219.239.104/15/winiti.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\winiti.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: YjYoFznWQI.rtf	ReversingLabs: Detection: 50%
Source: YjYoFznWQI.rtf	Virustotal: Detection: 55%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.411080065.0000000000080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.411140911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\winiti.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.219.239.104 Port: 80

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source:	Binary string: jqAx.pdbSHA256c source: winiti.exe.2.dr, winiti[1].exe.2.dr
Source:	Binary string: jqAx.pdb source: winiti.exe.2.dr, winiti[1].exe.2.dr
Source:	Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000009.00000002.411240507.00000000009A0000.00000040.00001000.00020000.00000000.sdmp

Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown	TCP traffic detected without corresponding DNS query: 104.219.239.104

Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.365668664.000000000067F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.219.239.104/15/winiti.exe
Source: EQNEDT32.EXE, 00000002.00000002.365668664.000000000067F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.219.239.104/15/winiti.exej
Source: EQNEDT32.EXE, 00000002.00000002.365668664.000000000067F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.219.239.104/15/winiti.exekkC:

Source: YjYoFznWQI.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.411080065.0000000000080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.411140911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\winiti.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0042BB43 NtClose,	9_2_0042BB43
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B07AC NtCreateMutant,LdrInitializeThunk,	9_2_009B07AC
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AF9F0 NtClose,LdrInitializeThunk,	9_2_009AF9F0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_009AFAE8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_009AFB68
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_009AFDC0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B00C4 NtCreateFile,	9_2_009B00C4
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B0048 NtProtectVirtualMemory,	9_2_009B0048
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B0078 NtResumeThread,	9_2_009B0078
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B0060 NtQuerySection,	9_2_009B0060
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B01D4 NtSetValueKey,	9_2_009B01D4
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B010C NtOpenDirectoryObject,	9_2_009B010C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B0C40 NtGetContextThread,	9_2_009B0C40
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B10D0 NtOpenProcessToken,	9_2_009B10D0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B1148 NtOpenThread,	9_2_009B1148
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AF8CC NtWaitForSingleObject,	9_2_009AF8CC
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AF900 NtReadFile,	9_2_009AF900
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AF938 NtWriteFile,	9_2_009AF938
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B1930 NtSetContextThread,	9_2_009B1930
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFAB8 NtQueryValueKey,	9_2_009AFAB8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFAD0 NtAllocateVirtualMemory,	9_2_009AFAD0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFA20 NtQueryInformationFile,	9_2_009AFA20
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFA50 NtEnumerateValueKey,	9_2_009AFA50
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFBB8 NtQueryInformationToken,	9_2_009AFBB8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFBE8 NtQueryVirtualMemory,	9_2_009AFBE8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFB50 NtCreateKey,	9_2_009AFB50
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFC90 NtUnmapViewOfSection,	9_2_009AFC90
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFC30 NtOpenProcess,	9_2_009AFC30
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFC48 NtSetInformationFile,	9_2_009AFC48
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFC60 NtMapViewOfSection,	9_2_009AFC60
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFD8C NtDelayExecution,	9_2_009AFD8C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009B1D80 NtSuspendThread,	9_2_009B1D80
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFD5C NtEnumerateKey,	9_2_009AFD5C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFEA0 NtReadVirtualMemory,	9_2_009AFEA0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFED0 NtAdjustPrivilegesToken,	9_2_009AFED0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFE24 NtWriteVirtualMemory,	9_2_009AFE24
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFFB4 NtCreateSection,	9_2_009AFFB4
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFFFC NtCreateProcessEx,	9_2_009AFFFC
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009AFF34 NtQueueApcThread,	9_2_009AFF34

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0068BE8D	2_2_0068BE8D
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_00393140	5_2_00393140
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0039056C	5_2_0039056C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0039E1E0	5_2_0039E1E0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0039E618	5_2_0039E618
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0039EA50	5_2_0039EA50
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_00392EE0	5_2_00392EE0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0039EF38	5_2_0039EF38
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_006812F8	5_2_006812F8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00402830	9_2_00402830
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0042E103	9_2_0042E103
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0040FA5A	9_2_0040FA5A
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0040FA63	9_2_0040FA63
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00401200	9_2_00401200
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00403210	9_2_00403210
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00402359	9_2_00402359
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00402360	9_2_00402360
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00402CE0	9_2_00402CE0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0040DCF9	9_2_0040DCF9
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0040FC83	9_2_0040FC83
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00402579	9_2_00402579
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0040DD03	9_2_0040DD03
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00402580	9_2_00402580
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_004167AE	9_2_004167AE
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_004167B3	9_2_004167B3
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009BE0C6	9_2_009BE0C6
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009BE2E9	9_2_009BE2E9
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A663BF	9_2_00A663BF
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009E63DB	9_2_009E63DB
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C2305	9_2_009C2305
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A0A37B	9_2_00A0A37B
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4443E	9_2_00A4443E
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A405E3	9_2_00A405E3
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009DC5F0	9_2_009DC5F0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A06540	9_2_00A06540
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C4680	9_2_009C4680
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009CE6C1	9_2_009CE6C1
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A62622	9_2_00A62622
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A0A634	9_2_00A0A634
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009CC7BC	9_2_009CC7BC
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009CC85C	9_2_009CC85C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009E286D	9_2_009E286D
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A6098E	9_2_00A6098E
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C29B2	9_2_009C29B2
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A549F5	9_2_00A549F5
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009D69FE	9_2_009D69FE
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A0C920	9_2_00A0C920
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A6CBA4	9_2_00A6CBA4
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A46BCB	9_2_00A46BCB
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A62C9C	9_2_00A62C9C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4AC5E	9_2_00A4AC5E
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009F0D3B	9_2_009F0D3B
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009CCD5B	9_2_009CCD5B
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009F2E2F	9_2_009F2E2F
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009DEE4C	9_2_009DEE4C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A5CFB1	9_2_00A5CFB1
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A32FDC	9_2_00A32FDC
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009D0F3F	9_2_009D0F3F
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009ED005	9_2_009ED005
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009D905A	9_2_009D905A
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A3D06D	9_2_00A3D06D
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C3040	9_2_009C3040
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4D13F	9_2_00A4D13F
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A61238	9_2_00A61238
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009BF3CF	9_2_009BF3CF
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C7353	9_2_009C7353
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009D1489	9_2_009D1489
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009F5485	9_2_009F5485
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009FD47D	9_2_009FD47D
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A635DA	9_2_00A635DA
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C351F	9_2_009C351F
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4579A	9_2_00A4579A
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009F57C3	9_2_009F57C3
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A5771D	9_2_00A5771D
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A5F8EE	9_2_00A5F8EE
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A3F8C4	9_2_00A3F8C4
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4394B	9_2_00A4394B
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A45955	9_2_00A45955
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A73A83	9_2_00A73A83
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009BFBD7	9_2_009BFBD7
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4DBDA	9_2_00A4DBDA
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009E7B00	9_2_009E7B00
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A5FDDD	9_2_00A5FDDD
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00A4BF14	9_2_00A4BF14
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009EDF7C	9_2_009EDF7C

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic	TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe 158C8861036425F4E7B9DF9A610A0E23D45A811C2916AA697CB01491B493E539
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\winiti.exe 158C8861036425F4E7B9DF9A610A0E23D45A811C2916AA697CB01491B493E539

Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: String function: 009BDF5C appears 137 times
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: String function: 00A03F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: String function: 009BE2A8 appears 60 times
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: String function: 00A0373B appears 253 times
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: String function: 00A2F970 appears 84 times

Source: YjYoFznWQI.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 9.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.411080065.0000000000080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.411140911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: winiti[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: winiti.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.winiti.exe.21938ac.3.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.winiti.exe.460000.1.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 5.2.winiti.exe.5020000.6.raw.unpack, nVct438kgTuAYGVuDt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.5020000.6.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.5020000.6.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.5020000.6.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: _0020.AddAccessRule
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: _0020.AddAccessRule
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, nVct438kgTuAYGVuDt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, nVct438kgTuAYGVuDt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	Security API names: _0020.AddAccessRule

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: 5.2.winiti.exe.21938ac.3.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.winiti.exe.460000.1.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YjYoFznWQI.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
YjYoFznWQI.rtf

Source: 5.2.winiti.exe.5020000.6.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	.Net Code: J6bocaUKN3 System.Reflection.Assembly.Load(byte[])
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	.Net Code: J6bocaUKN3 System.Reflection.Assembly.Load(byte[])
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	.Net Code: J6bocaUKN3 System.Reflection.Assembly.Load(byte[])

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0068C264 pushad ; retn 0068h	2_2_0068C289
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0069337E push eax; ret	2_2_0069337F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0069334C push eax; ret	2_2_0069334F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00693346 push eax; ret	2_2_00693347
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0068E45E pushad ; iretd	2_2_0068E48A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0069372B push eax; ret	2_2_0069372F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0069553A push edx; ret	2_2_0069553B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0069333E push eax; ret	2_2_0069333F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00694230 push eax; ret	2_2_0069424F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00693735 push eax; ret	2_2_00693737
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00693D02 push edx; ret	2_2_00693D03
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00693CFA push edx; ret	2_2_00693CFB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006801F4 push eax; retf	2_2_006801F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0069338E push eax; ret	2_2_0069338F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00693386 push eax; ret	2_2_00693387
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00695899 push edx; ret	2_2_0069589B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00695891 push edx; ret	2_2_00695893
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_004231B6 push ebp; retf	9_2_004231B7
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_004114D2 push es; retf	9_2_004114D3
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00403490 push eax; ret	9_2_00403492
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00408493 push ds; retf	9_2_00408494
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0041856B pushad ; retf	9_2_004185C8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0041852C pushad ; retf	9_2_004185C8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0041858A pushad ; retf	9_2_004185C8
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0041E6AE push esp; iretd	9_2_0041E6B1
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0041876B push edi; iretd	9_2_0041877C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_00418773 push edi; iretd	9_2_0041877C
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_0041871D push ebx; ret	9_2_0041871F
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009BDFA1 push ecx; ret	9_2_009BDFB4

Source: winiti[1].exe.2.dr	Static PE information: section name: .text entropy: 7.9671901350840715
Source: winiti.exe.2.dr	Static PE information: section name: .text entropy: 7.9671901350840715

Source: 5.2.winiti.exe.21938ac.3.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	High entropy of concatenated method names: 'sBWW1o69QP', 'RgtTUJcyZL', 'wHRL3ZoRRm', 'qx3LWApERP', 'Eo0LL2b9ec', 'SSpLi0YFJu', 'f0gY5uTkfS8Ax', 'DIXDrUpg3', 'mwmTMKcOE', 'GXuog4qOP'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, CHlsnFvlEuncWReGJN.cs	High entropy of concatenated method names: 'CVc3awEPJ4', 'qwe367xQE5', 'osh3jJvIvQ', 'KNb3AIsT1t', 'JdC3gWp5qr', 'hT53rcyh64', 'r3lkva1Cv2tVjLXtYs', 'AgLGulVq7Y3b4oTBow', 'yEp33E5yyH', 'wBP3eZwaY0'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, BHMimqiOshVfXrPhSg.cs	High entropy of concatenated method names: 'mxNaZf9cRi', 'mg4a2RPUwG', 'Pbkackc0qU', 'IRFa8qRsfD', 'nlUa9Fl1R1', 'KuSaWcJpPH', 'l7xaSPsIXO', 'WDGaDc55iB', 'L9Ua1JGhuj', 'mVYaOdsviC'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, DNvTqDGmNxtIgohYcw.cs	High entropy of concatenated method names: 'oQQc0FQ4i', 'BDU8PkAch', 'rkqWOLNkq', 'UmlSiRSE5', 'Ybr142J9O', 'eMBOVFKcY', 'ygo0KGNW2y8Td7NcKn', 'WoRTMJbUEOcomR4pas', 'tyJponITf', 'vAkUiZtEu'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, lauX2PRRT693RMSPdvu.cs	High entropy of concatenated method names: 'ToString', 'DlYUe2opvc', 'CV4Uo35JXG', 'mHsUkQLx13', 'QIHUVxqF0H', 'dLnUXtZwWo', 'zCXUsvJO8B', 'bD4UuudYvN', 'zrbGeIv0GGBx746fpX1', 'awMFmjv5orduFZSM9QG'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, fLc7GNRGXk42bWVPTdA.cs	High entropy of concatenated method names: 'SMnUZyqKit', 'mfIU2GHuaK', 'RKiUc8qvvC', 'QYycJLvX2wHgQqIQYE6', 'MwyCMpv1EVAP1kbcIwQ', 'LWMB7FvVMdBDpOmMYAE', 'bcgXBtvImrVYuDijkcy', 'rXAxRove9Ax9tCA9jes', 'OmmrbYvu3QWwoxyKhfK'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, VgRoFg73KgTDHHCmuI.cs	High entropy of concatenated method names: 'QhHhNZxUe0', 'liwhGUVpbf', 'csapYg01Py', 'fQHp3vqhRn', 'ihbh0XiW27', 'aUJhxKf7tq', 'PsthbkctA1', 'pJIhC5PAqm', 'HPdh49Evdc', 'jGVhdE2OBs'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, dkykbkR9rQvNG3XZmIP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'H4xUCnf6Ip', 'QTSU4qqvwL', 'KdrUdcQ1Uf', 'J0aUR5pqOD', 'yGSUtxSiVW', 'hh5UMOGw1s', 'XRgUHHhleZ'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, W4Drl4TO37y97JWKtA.cs	High entropy of concatenated method names: 'Dispose', 'IoK35TohUO', 'dpjJLlOJ9L', 'kQRKKgqWcH', 'gHF3GF3xSa', 'raU3zpcFtC', 'ProcessDialogKey', 'XERJYWowes', 'DpjJ35479m', 'Y3RJJQXD9y'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, GXYba2YoMQG9XKKBvl.cs	High entropy of concatenated method names: 'ubhs8yexla', 'FJGsWAcVyA', 'xnnsD82CGA', 'MjWs1jMqoD', 'NK7sguDqbQ', 'QHisrp9d4N', 'fgnshtkjEl', 'NxpspaEamv', 'm52slv2U4T', 'SbEsURbKbR'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, rHxnfv6Sf3LHXLbEDN.cs	High entropy of concatenated method names: 'aZ3gfA2H4y', 'VKEgxirfWt', 'X0ZgCX1bvr', 'zT3g4hwbaM', 'eQigLZGBoy', 'JbjgwJarVa', 'CpCgBlaC7Q', 'nYUgQg5SNc', 'u1ygINVLGh', 'RltgyRc9sr'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, Eil6R8trbmXLNBHNuy.cs	High entropy of concatenated method names: 'mdcxj9UD4ZfGMsOqg4u', 'ML04rsUtbCB8poGaqhm', 'riAPpKVKfA', 'lKGPlQqeOQ', 'HkwPUY2JFn', 'VuIkxIUG0kx9T58IVDd', 'kFedhRUPXY0is8rO78b'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, Iyof3xLt5ZRIW115jV.cs	High entropy of concatenated method names: 'kdvpV4B7hw', 'OOVpXnRvPT', 'n9cpsAqFpC', 'jBmpu0lT2h', 'POQpPXiGii', 'xQppaM7Y94', 'RrTp631cLq', 'YW7pndJMuP', 't2lpjgmutN', 'tlEpAJcQFJ'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, ypaX1MoG8LqZAomX1h.cs	High entropy of concatenated method names: 'iUsmD0Wbv1', 'Gy6m1CbjAB', 'bB5mFu1XcP', 'O02mLfIvrT', 'dmZmBhckm6', 'UghmQocMCc', 'tfImyLe2cb', 'UlbmvKWonI', 'RoSmfsucrk', 'veWm0nNgKB'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, KTv2InajnNoxY4E9Rd.cs	High entropy of concatenated method names: 'RTAhjP8qxY', 'DJLhAd1soQ', 'ToString', 'EmshVltPQM', 'M9ihXvN6Aj', 'arohs2yJBr', 'GCLhu8PtuH', 'MKBhPbEZVy', 'v1vha07xgC', 'W8mh6Lmjm2'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, nVct438kgTuAYGVuDt.cs	High entropy of concatenated method names: 'dsyXCJ0UkE', 'vibX4Bafga', 'TJhXdPevij', 'L10XR0cLol', 'GZVXtyLeOy', 'sfZXMPY3Yx', 'Q56XHvxXKK', 'ko9XNVxS0m', 'nkiX5hNRS2', 'RVtXGJCWKH'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, msCl8PRUvFWMD9tfMcE.cs	High entropy of concatenated method names: 'WRRlZWrtak', 'JZ4l2ZBqcr', 'GjClcT3TwS', 'VAjl8Lxskp', 'AIXl953Na7', 'kkPlWvTvbU', 'vqclSXhtIP', 'WqWlDw97hZ', 'uShl13g10D', 'hOLlOkHiR0'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, zxyfQhlGRkA29DlFf0.cs	High entropy of concatenated method names: 'cs9l3g4YWl', 'GmpleImVL0', 'nb3lo5h3p2', 'N4ulVRw5iJ', 'L8ylX4yt1r', 'qg6luxFV2M', 'qAblP9sDLO', 'VZYpHNg4nF', 'seLpNegVPF', 'asRp51FiNB'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	High entropy of concatenated method names: 'ob7ekgbvlw', 'S6beVLwqgn', 'BL8eXVgohH', 'mS4esF7ESR', 'zKReum5ndl', 'GuKePYyPtM', 'sYCea3vm2x', 'CNLe6U93Gd', 'jPUen8uyCf', 'GFhejiyNcM'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, HKRKTgmgtv8UpWFG4L.cs	High entropy of concatenated method names: 'VqRaVuy3I3', 'nuCasepv50', 'C4SaPusZJx', 'ic7PGZ1NOF', 'FIGPzE4K6K', 'T1IaYJD7cQ', 'chNa3wR8ZF', 'SfSaJKrTBw', 'L75ae2JsZC', 'HnBaoqWiOw'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, gpIaQEFaQE9fYaXf6e.cs	High entropy of concatenated method names: 'wQOPk9kstW', 'BZlPXNs14N', 'fVwPuR8M5b', 'FhWPapVJ0D', 'snnP6g7eSw', 'xkvutMNLZ8', 'KGOuM2v4gP', 'DxLuH4OqDX', 'QjyuN5KtUJ', 'eI8u5Fdfj7'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, IFh7DVzobfxWABMarZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jD9lmmbE46', 'YcolgyxY57', 'rnSlrwoFRU', 'qRNlheZBqp', 'S1NlpSP1iM', 'ARllleQd8r', 'GQflUXAlUv'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, VqE1uksyKtqyCUTeoW.cs	High entropy of concatenated method names: 'OZepFNKa63', 'wM9pLVmaRq', 'fRLpwEcMtB', 'sxIpBk5vyi', 'f0gpCjXGM4', 'EEDpQvW3EV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.5020000.6.raw.unpack, iywWJ6hAJcl2siLDcZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pkVJ5i3Vb1', 'bZrJGW8hEF', 'Wl3Jz0MIQO', 'AaFeYwq38k', 'znYe3pEYhj', 'eKCeJ7R9JI', 'yXxeebd3Nu', 'yq7FgWHUgUkJkmYGC5X'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, CHlsnFvlEuncWReGJN.cs	High entropy of concatenated method names: 'CVc3awEPJ4', 'qwe367xQE5', 'osh3jJvIvQ', 'KNb3AIsT1t', 'JdC3gWp5qr', 'hT53rcyh64', 'r3lkva1Cv2tVjLXtYs', 'AgLGulVq7Y3b4oTBow', 'yEp33E5yyH', 'wBP3eZwaY0'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, BHMimqiOshVfXrPhSg.cs	High entropy of concatenated method names: 'mxNaZf9cRi', 'mg4a2RPUwG', 'Pbkackc0qU', 'IRFa8qRsfD', 'nlUa9Fl1R1', 'KuSaWcJpPH', 'l7xaSPsIXO', 'WDGaDc55iB', 'L9Ua1JGhuj', 'mVYaOdsviC'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, DNvTqDGmNxtIgohYcw.cs	High entropy of concatenated method names: 'oQQc0FQ4i', 'BDU8PkAch', 'rkqWOLNkq', 'UmlSiRSE5', 'Ybr142J9O', 'eMBOVFKcY', 'ygo0KGNW2y8Td7NcKn', 'WoRTMJbUEOcomR4pas', 'tyJponITf', 'vAkUiZtEu'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, lauX2PRRT693RMSPdvu.cs	High entropy of concatenated method names: 'ToString', 'DlYUe2opvc', 'CV4Uo35JXG', 'mHsUkQLx13', 'QIHUVxqF0H', 'dLnUXtZwWo', 'zCXUsvJO8B', 'bD4UuudYvN', 'zrbGeIv0GGBx746fpX1', 'awMFmjv5orduFZSM9QG'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, fLc7GNRGXk42bWVPTdA.cs	High entropy of concatenated method names: 'SMnUZyqKit', 'mfIU2GHuaK', 'RKiUc8qvvC', 'QYycJLvX2wHgQqIQYE6', 'MwyCMpv1EVAP1kbcIwQ', 'LWMB7FvVMdBDpOmMYAE', 'bcgXBtvImrVYuDijkcy', 'rXAxRove9Ax9tCA9jes', 'OmmrbYvu3QWwoxyKhfK'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, VgRoFg73KgTDHHCmuI.cs	High entropy of concatenated method names: 'QhHhNZxUe0', 'liwhGUVpbf', 'csapYg01Py', 'fQHp3vqhRn', 'ihbh0XiW27', 'aUJhxKf7tq', 'PsthbkctA1', 'pJIhC5PAqm', 'HPdh49Evdc', 'jGVhdE2OBs'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, dkykbkR9rQvNG3XZmIP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'H4xUCnf6Ip', 'QTSU4qqvwL', 'KdrUdcQ1Uf', 'J0aUR5pqOD', 'yGSUtxSiVW', 'hh5UMOGw1s', 'XRgUHHhleZ'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, W4Drl4TO37y97JWKtA.cs	High entropy of concatenated method names: 'Dispose', 'IoK35TohUO', 'dpjJLlOJ9L', 'kQRKKgqWcH', 'gHF3GF3xSa', 'raU3zpcFtC', 'ProcessDialogKey', 'XERJYWowes', 'DpjJ35479m', 'Y3RJJQXD9y'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, GXYba2YoMQG9XKKBvl.cs	High entropy of concatenated method names: 'ubhs8yexla', 'FJGsWAcVyA', 'xnnsD82CGA', 'MjWs1jMqoD', 'NK7sguDqbQ', 'QHisrp9d4N', 'fgnshtkjEl', 'NxpspaEamv', 'm52slv2U4T', 'SbEsURbKbR'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, rHxnfv6Sf3LHXLbEDN.cs	High entropy of concatenated method names: 'aZ3gfA2H4y', 'VKEgxirfWt', 'X0ZgCX1bvr', 'zT3g4hwbaM', 'eQigLZGBoy', 'JbjgwJarVa', 'CpCgBlaC7Q', 'nYUgQg5SNc', 'u1ygINVLGh', 'RltgyRc9sr'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, Eil6R8trbmXLNBHNuy.cs	High entropy of concatenated method names: 'mdcxj9UD4ZfGMsOqg4u', 'ML04rsUtbCB8poGaqhm', 'riAPpKVKfA', 'lKGPlQqeOQ', 'HkwPUY2JFn', 'VuIkxIUG0kx9T58IVDd', 'kFedhRUPXY0is8rO78b'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, Iyof3xLt5ZRIW115jV.cs	High entropy of concatenated method names: 'kdvpV4B7hw', 'OOVpXnRvPT', 'n9cpsAqFpC', 'jBmpu0lT2h', 'POQpPXiGii', 'xQppaM7Y94', 'RrTp631cLq', 'YW7pndJMuP', 't2lpjgmutN', 'tlEpAJcQFJ'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, ypaX1MoG8LqZAomX1h.cs	High entropy of concatenated method names: 'iUsmD0Wbv1', 'Gy6m1CbjAB', 'bB5mFu1XcP', 'O02mLfIvrT', 'dmZmBhckm6', 'UghmQocMCc', 'tfImyLe2cb', 'UlbmvKWonI', 'RoSmfsucrk', 'veWm0nNgKB'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, KTv2InajnNoxY4E9Rd.cs	High entropy of concatenated method names: 'RTAhjP8qxY', 'DJLhAd1soQ', 'ToString', 'EmshVltPQM', 'M9ihXvN6Aj', 'arohs2yJBr', 'GCLhu8PtuH', 'MKBhPbEZVy', 'v1vha07xgC', 'W8mh6Lmjm2'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, nVct438kgTuAYGVuDt.cs	High entropy of concatenated method names: 'dsyXCJ0UkE', 'vibX4Bafga', 'TJhXdPevij', 'L10XR0cLol', 'GZVXtyLeOy', 'sfZXMPY3Yx', 'Q56XHvxXKK', 'ko9XNVxS0m', 'nkiX5hNRS2', 'RVtXGJCWKH'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, msCl8PRUvFWMD9tfMcE.cs	High entropy of concatenated method names: 'WRRlZWrtak', 'JZ4l2ZBqcr', 'GjClcT3TwS', 'VAjl8Lxskp', 'AIXl953Na7', 'kkPlWvTvbU', 'vqclSXhtIP', 'WqWlDw97hZ', 'uShl13g10D', 'hOLlOkHiR0'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, zxyfQhlGRkA29DlFf0.cs	High entropy of concatenated method names: 'cs9l3g4YWl', 'GmpleImVL0', 'nb3lo5h3p2', 'N4ulVRw5iJ', 'L8ylX4yt1r', 'qg6luxFV2M', 'qAblP9sDLO', 'VZYpHNg4nF', 'seLpNegVPF', 'asRp51FiNB'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	High entropy of concatenated method names: 'ob7ekgbvlw', 'S6beVLwqgn', 'BL8eXVgohH', 'mS4esF7ESR', 'zKReum5ndl', 'GuKePYyPtM', 'sYCea3vm2x', 'CNLe6U93Gd', 'jPUen8uyCf', 'GFhejiyNcM'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, HKRKTgmgtv8UpWFG4L.cs	High entropy of concatenated method names: 'VqRaVuy3I3', 'nuCasepv50', 'C4SaPusZJx', 'ic7PGZ1NOF', 'FIGPzE4K6K', 'T1IaYJD7cQ', 'chNa3wR8ZF', 'SfSaJKrTBw', 'L75ae2JsZC', 'HnBaoqWiOw'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, gpIaQEFaQE9fYaXf6e.cs	High entropy of concatenated method names: 'wQOPk9kstW', 'BZlPXNs14N', 'fVwPuR8M5b', 'FhWPapVJ0D', 'snnP6g7eSw', 'xkvutMNLZ8', 'KGOuM2v4gP', 'DxLuH4OqDX', 'QjyuN5KtUJ', 'eI8u5Fdfj7'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, IFh7DVzobfxWABMarZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jD9lmmbE46', 'YcolgyxY57', 'rnSlrwoFRU', 'qRNlheZBqp', 'S1NlpSP1iM', 'ARllleQd8r', 'GQflUXAlUv'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, VqE1uksyKtqyCUTeoW.cs	High entropy of concatenated method names: 'OZepFNKa63', 'wM9pLVmaRq', 'fRLpwEcMtB', 'sxIpBk5vyi', 'f0gpCjXGM4', 'EEDpQvW3EV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.35768e8.5.raw.unpack, iywWJ6hAJcl2siLDcZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pkVJ5i3Vb1', 'bZrJGW8hEF', 'Wl3Jz0MIQO', 'AaFeYwq38k', 'znYe3pEYhj', 'eKCeJ7R9JI', 'yXxeebd3Nu', 'yq7FgWHUgUkJkmYGC5X'
Source: 5.2.winiti.exe.460000.1.raw.unpack, JwlrlmCCKvmG8rWaC9.cs	High entropy of concatenated method names: 'sBWW1o69QP', 'RgtTUJcyZL', 'wHRL3ZoRRm', 'qx3LWApERP', 'Eo0LL2b9ec', 'SSpLi0YFJu', 'f0gY5uTkfS8Ax', 'DIXDrUpg3', 'mwmTMKcOE', 'GXuog4qOP'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, CHlsnFvlEuncWReGJN.cs	High entropy of concatenated method names: 'CVc3awEPJ4', 'qwe367xQE5', 'osh3jJvIvQ', 'KNb3AIsT1t', 'JdC3gWp5qr', 'hT53rcyh64', 'r3lkva1Cv2tVjLXtYs', 'AgLGulVq7Y3b4oTBow', 'yEp33E5yyH', 'wBP3eZwaY0'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, BHMimqiOshVfXrPhSg.cs	High entropy of concatenated method names: 'mxNaZf9cRi', 'mg4a2RPUwG', 'Pbkackc0qU', 'IRFa8qRsfD', 'nlUa9Fl1R1', 'KuSaWcJpPH', 'l7xaSPsIXO', 'WDGaDc55iB', 'L9Ua1JGhuj', 'mVYaOdsviC'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, DNvTqDGmNxtIgohYcw.cs	High entropy of concatenated method names: 'oQQc0FQ4i', 'BDU8PkAch', 'rkqWOLNkq', 'UmlSiRSE5', 'Ybr142J9O', 'eMBOVFKcY', 'ygo0KGNW2y8Td7NcKn', 'WoRTMJbUEOcomR4pas', 'tyJponITf', 'vAkUiZtEu'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, lauX2PRRT693RMSPdvu.cs	High entropy of concatenated method names: 'ToString', 'DlYUe2opvc', 'CV4Uo35JXG', 'mHsUkQLx13', 'QIHUVxqF0H', 'dLnUXtZwWo', 'zCXUsvJO8B', 'bD4UuudYvN', 'zrbGeIv0GGBx746fpX1', 'awMFmjv5orduFZSM9QG'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, fLc7GNRGXk42bWVPTdA.cs	High entropy of concatenated method names: 'SMnUZyqKit', 'mfIU2GHuaK', 'RKiUc8qvvC', 'QYycJLvX2wHgQqIQYE6', 'MwyCMpv1EVAP1kbcIwQ', 'LWMB7FvVMdBDpOmMYAE', 'bcgXBtvImrVYuDijkcy', 'rXAxRove9Ax9tCA9jes', 'OmmrbYvu3QWwoxyKhfK'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, VgRoFg73KgTDHHCmuI.cs	High entropy of concatenated method names: 'QhHhNZxUe0', 'liwhGUVpbf', 'csapYg01Py', 'fQHp3vqhRn', 'ihbh0XiW27', 'aUJhxKf7tq', 'PsthbkctA1', 'pJIhC5PAqm', 'HPdh49Evdc', 'jGVhdE2OBs'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, dkykbkR9rQvNG3XZmIP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'H4xUCnf6Ip', 'QTSU4qqvwL', 'KdrUdcQ1Uf', 'J0aUR5pqOD', 'yGSUtxSiVW', 'hh5UMOGw1s', 'XRgUHHhleZ'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, W4Drl4TO37y97JWKtA.cs	High entropy of concatenated method names: 'Dispose', 'IoK35TohUO', 'dpjJLlOJ9L', 'kQRKKgqWcH', 'gHF3GF3xSa', 'raU3zpcFtC', 'ProcessDialogKey', 'XERJYWowes', 'DpjJ35479m', 'Y3RJJQXD9y'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, GXYba2YoMQG9XKKBvl.cs	High entropy of concatenated method names: 'ubhs8yexla', 'FJGsWAcVyA', 'xnnsD82CGA', 'MjWs1jMqoD', 'NK7sguDqbQ', 'QHisrp9d4N', 'fgnshtkjEl', 'NxpspaEamv', 'm52slv2U4T', 'SbEsURbKbR'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, rHxnfv6Sf3LHXLbEDN.cs	High entropy of concatenated method names: 'aZ3gfA2H4y', 'VKEgxirfWt', 'X0ZgCX1bvr', 'zT3g4hwbaM', 'eQigLZGBoy', 'JbjgwJarVa', 'CpCgBlaC7Q', 'nYUgQg5SNc', 'u1ygINVLGh', 'RltgyRc9sr'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, Eil6R8trbmXLNBHNuy.cs	High entropy of concatenated method names: 'mdcxj9UD4ZfGMsOqg4u', 'ML04rsUtbCB8poGaqhm', 'riAPpKVKfA', 'lKGPlQqeOQ', 'HkwPUY2JFn', 'VuIkxIUG0kx9T58IVDd', 'kFedhRUPXY0is8rO78b'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, Iyof3xLt5ZRIW115jV.cs	High entropy of concatenated method names: 'kdvpV4B7hw', 'OOVpXnRvPT', 'n9cpsAqFpC', 'jBmpu0lT2h', 'POQpPXiGii', 'xQppaM7Y94', 'RrTp631cLq', 'YW7pndJMuP', 't2lpjgmutN', 'tlEpAJcQFJ'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, ypaX1MoG8LqZAomX1h.cs	High entropy of concatenated method names: 'iUsmD0Wbv1', 'Gy6m1CbjAB', 'bB5mFu1XcP', 'O02mLfIvrT', 'dmZmBhckm6', 'UghmQocMCc', 'tfImyLe2cb', 'UlbmvKWonI', 'RoSmfsucrk', 'veWm0nNgKB'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, KTv2InajnNoxY4E9Rd.cs	High entropy of concatenated method names: 'RTAhjP8qxY', 'DJLhAd1soQ', 'ToString', 'EmshVltPQM', 'M9ihXvN6Aj', 'arohs2yJBr', 'GCLhu8PtuH', 'MKBhPbEZVy', 'v1vha07xgC', 'W8mh6Lmjm2'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, nVct438kgTuAYGVuDt.cs	High entropy of concatenated method names: 'dsyXCJ0UkE', 'vibX4Bafga', 'TJhXdPevij', 'L10XR0cLol', 'GZVXtyLeOy', 'sfZXMPY3Yx', 'Q56XHvxXKK', 'ko9XNVxS0m', 'nkiX5hNRS2', 'RVtXGJCWKH'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, msCl8PRUvFWMD9tfMcE.cs	High entropy of concatenated method names: 'WRRlZWrtak', 'JZ4l2ZBqcr', 'GjClcT3TwS', 'VAjl8Lxskp', 'AIXl953Na7', 'kkPlWvTvbU', 'vqclSXhtIP', 'WqWlDw97hZ', 'uShl13g10D', 'hOLlOkHiR0'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, zxyfQhlGRkA29DlFf0.cs	High entropy of concatenated method names: 'cs9l3g4YWl', 'GmpleImVL0', 'nb3lo5h3p2', 'N4ulVRw5iJ', 'L8ylX4yt1r', 'qg6luxFV2M', 'qAblP9sDLO', 'VZYpHNg4nF', 'seLpNegVPF', 'asRp51FiNB'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, W9IPWAqr0MPYr1VvVo.cs	High entropy of concatenated method names: 'ob7ekgbvlw', 'S6beVLwqgn', 'BL8eXVgohH', 'mS4esF7ESR', 'zKReum5ndl', 'GuKePYyPtM', 'sYCea3vm2x', 'CNLe6U93Gd', 'jPUen8uyCf', 'GFhejiyNcM'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, HKRKTgmgtv8UpWFG4L.cs	High entropy of concatenated method names: 'VqRaVuy3I3', 'nuCasepv50', 'C4SaPusZJx', 'ic7PGZ1NOF', 'FIGPzE4K6K', 'T1IaYJD7cQ', 'chNa3wR8ZF', 'SfSaJKrTBw', 'L75ae2JsZC', 'HnBaoqWiOw'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, gpIaQEFaQE9fYaXf6e.cs	High entropy of concatenated method names: 'wQOPk9kstW', 'BZlPXNs14N', 'fVwPuR8M5b', 'FhWPapVJ0D', 'snnP6g7eSw', 'xkvutMNLZ8', 'KGOuM2v4gP', 'DxLuH4OqDX', 'QjyuN5KtUJ', 'eI8u5Fdfj7'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, IFh7DVzobfxWABMarZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jD9lmmbE46', 'YcolgyxY57', 'rnSlrwoFRU', 'qRNlheZBqp', 'S1NlpSP1iM', 'ARllleQd8r', 'GQflUXAlUv'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, VqE1uksyKtqyCUTeoW.cs	High entropy of concatenated method names: 'OZepFNKa63', 'wM9pLVmaRq', 'fRLpwEcMtB', 'sxIpBk5vyi', 'f0gpCjXGM4', 'EEDpQvW3EV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.34ef6c8.4.raw.unpack, iywWJ6hAJcl2siLDcZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pkVJ5i3Vb1', 'bZrJGW8hEF', 'Wl3Jz0MIQO', 'AaFeYwq38k', 'znYe3pEYhj', 'eKCeJ7R9JI', 'yXxeebd3Nu', 'yq7FgWHUgUkJkmYGC5X'

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 2170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 1EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 7AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 6620000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1392	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 1292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 2156	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2736	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009A0080 mov ecx, dword ptr fs:[00000030h]	9_2_009A0080
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009A00EA mov eax, dword ptr fs:[00000030h]	9_2_009A00EA
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 9_2_009C26F8 mov eax, dword ptr fs:[00000030h]	9_2_009C26F8

Source: Yara match	File source: 5.2.winiti.exe.460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.21938ac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.21938ac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.372607440.0000000000460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372745641.0000000002171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	32 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	12 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement