Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.26055.480

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Jaik.72878.26055.480 (renamed file extension from 480 to exe)
Analysis ID: 626277
MD5: 029bbe98a216416eb698ca543a5c0830
SHA1: a24173f1daf45d7444e3c698c3ae09a540a818dd
SHA256: e73b7de772353638addd480041e90a67f27d8d5b087bf222b1c6649c54b9cc57
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Virustotal: Detection: 49% Perma Link
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe ReversingLabs: Detection: 51%
Yara detected FormBook
Source: Yara match File source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.cortesdisenosroutercnc.com/itq4/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.cortesdisenosroutercnc.com/itq4/ Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Virustotal: Detection: 14% Perma Link
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.idcqz.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.idcqz.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.idcqz.exe.1870000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.idcqz.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.idcqz.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmstp.pdbGCTL source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: idcqz.exe, 00000003.00000003.380042603.000000001AEA0000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000003.00000003.379722541.000000001AD10000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe, 00000000.00000002.399346921.0000000000788000.00000004.00000001.01000000.00000003.sdmp, idcqz.exe, 00000003.00000002.384977536.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000003.00000000.375241960.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000004.00000002.465593311.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, cmstp.exe, 0000000C.00000002.658449919.0000000004937000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 0000000C.00000002.650828701.000000000072B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.640009311.00000000072C7000.00000004.80000000.00040000.00000000.sdmp, nsrF91A.tmp.0.dr, idcqz.exe.0.dr
Source: Binary string: wntdll.pdb source: idcqz.exe, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmstp.pdb source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4x nop then pop edi 4_2_0040C400
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop edi 12_2_0041C400

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cortesdisenosroutercnc.com/itq4/
Source: explorer.exe, 00000017.00000003.623277440.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.627859968.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.616313206.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.618394184.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.624564118.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.618207201.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.617363811.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.614448427.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.638582873.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.615626690.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.614959896.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040580F

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature match
Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A71890 3_2_00A71890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A796A0 3_2_00A796A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A77E88 3_2_00A77E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A79C12 3_2_00A79C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A7C3BD 3_2_00A7C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A7A184 3_2_00A7A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A7B3F1 3_2_00A7B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_01860A56 3_2_01860A56
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00401026 4_2_00401026
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041BA41 4_2_0041BA41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041D345 4_2_0041D345
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00408C7B 4_2_00408C7B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041C405 4_2_0041C405
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00408C80 4_2_00408C80
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00402D88 4_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041CFD5 4_2_0041CFD5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A71890 4_2_00A71890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A7A184 4_2_00A7A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A7C3BD 4_2_00A7C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A7B3F1 4_2_00A7B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A79C12 4_2_00A79C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A796A0 4_2_00A796A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A77E88 4_2_00A77E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AF900 4_2_014AF900
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C4120 4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561002 4_2_01561002
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157E824 4_2_0157E824
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA830 4_2_014CA830
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015728EC 4_2_015728EC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BB090 4_2_014BB090
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015720A8 4_2_015720A8
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CAB40 4_2_014CAB40
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01572B28 4_2_01572B28
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156DBD2 4_2_0156DBD2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015603DA 4_2_015603DA
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DEBB0 4_2_014DEBB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0155FA2B 4_2_0155FA2B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015722AE 4_2_015722AE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01571D55 4_2_01571D55
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01572D07 4_2_01572D07
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A0D20 4_2_014A0D20
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015725DD 4_2_015725DD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BD5E0 4_2_014BD5E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2581 4_2_014D2581
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156D466 4_2_0156D466
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B841F 4_2_014B841F
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157DFCE 4_2_0157DFCE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01571FF1 4_2_01571FF1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156D616 4_2_0156D616
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C6E30 4_2_014C6E30
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01572EF7 4_2_01572EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044ED466 12_2_044ED466
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443841F 12_2_0443841F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F1D55 12_2_044F1D55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F2D07 12_2_044F2D07
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04420D20 12_2_04420D20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F25DD 12_2_044F25DD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443D5E0 12_2_0443D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04452581 12_2_04452581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044ED616 12_2_044ED616
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04446E30 12_2_04446E30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F2EF7 12_2_044F2EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044FDFCE 12_2_044FDFCE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F1FF1 12_2_044F1FF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1002 12_2_044E1002
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044FE824 12_2_044FE824
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444A830 12_2_0444A830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F28EC 12_2_044F28EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443B090 12_2_0443B090
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F20A8 12_2_044F20A8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442F900 12_2_0442F900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04444120 12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044DFA2B 12_2_044DFA2B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F22AE 12_2_044F22AE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444AB40 12_2_0444AB40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F2B28 12_2_044F2B28
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E03DA 12_2_044E03DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EDBD2 12_2_044EDBD2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445EBB0 12_2_0445EBB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042BA41 12_2_0042BA41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042D345 12_2_0042D345
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00418C7B 12_2_00418C7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042C405 12_2_0042C405
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00418C80 12_2_00418C80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00412D88 12_2_00412D88
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00412D90 12_2_00412D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042CFD5 12_2_0042CFD5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00412FB0 12_2_00412FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: String function: 00A74599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: String function: 00A72400 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: String function: 014AB150 appears 54 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 0442B150 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_004185E0 NtCreateFile, 4_2_004185E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00418690 NtReadFile, 4_2_00418690
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00418710 NtClose, 4_2_00418710
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_004187C0 NtAllocateVirtualMemory, 4_2_004187C0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_004185DA NtCreateFile, 4_2_004185DA
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041868A NtReadFile, 4_2_0041868A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041870A NtClose, 4_2_0041870A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_014E9910
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E99A0 NtCreateSection,LdrInitializeThunk, 4_2_014E99A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9840 NtDelayExecution,LdrInitializeThunk, 4_2_014E9840
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_014E9860
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E98F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_014E98F0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9A50 NtCreateFile,LdrInitializeThunk, 4_2_014E9A50
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_014E9A00
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9A20 NtResumeThread,LdrInitializeThunk, 4_2_014E9A20
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9540 NtReadFile,LdrInitializeThunk, 4_2_014E9540
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E95D0 NtClose,LdrInitializeThunk, 4_2_014E95D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9710 NtQueryInformationToken,LdrInitializeThunk, 4_2_014E9710
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9FE0 NtCreateMutant,LdrInitializeThunk, 4_2_014E9FE0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9780 NtMapViewOfSection,LdrInitializeThunk, 4_2_014E9780
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E97A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_014E97A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_014E9660
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_014E96E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9950 NtQueueApcThread, 4_2_014E9950
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E99D0 NtCreateProcessEx, 4_2_014E99D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014EB040 NtSuspendThread, 4_2_014EB040
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9820 NtEnumerateKey, 4_2_014E9820
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E98A0 NtWriteVirtualMemory, 4_2_014E98A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9B00 NtSetValueKey, 4_2_014E9B00
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014EA3B0 NtGetContextThread, 4_2_014EA3B0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9A10 NtQuerySection, 4_2_014E9A10
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9A80 NtOpenDirectoryObject, 4_2_014E9A80
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9560 NtWriteFile, 4_2_014E9560
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9520 NtWaitForSingleObject, 4_2_014E9520
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014EAD30 NtSetContextThread, 4_2_014EAD30
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E95F0 NtQueryInformationFile, 4_2_014E95F0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9760 NtOpenProcess, 4_2_014E9760
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014EA770 NtOpenThread, 4_2_014EA770
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9770 NtSetInformationFile, 4_2_014E9770
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014EA710 NtOpenProcessToken, 4_2_014EA710
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9730 NtQueryVirtualMemory, 4_2_014E9730
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9650 NtQueryValueKey, 4_2_014E9650
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9670 NtQueryInformationProcess, 4_2_014E9670
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E9610 NtEnumerateValueKey, 4_2_014E9610
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E96D0 NtCreateKey, 4_2_014E96D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469540 NtReadFile,LdrInitializeThunk, 12_2_04469540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044695D0 NtClose,LdrInitializeThunk, 12_2_044695D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469650 NtQueryValueKey,LdrInitializeThunk, 12_2_04469650
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk, 12_2_04469660
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044696D0 NtCreateKey,LdrInitializeThunk, 12_2_044696D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_044696E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469710 NtQueryInformationToken,LdrInitializeThunk, 12_2_04469710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469FE0 NtCreateMutant,LdrInitializeThunk, 12_2_04469FE0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469780 NtMapViewOfSection,LdrInitializeThunk, 12_2_04469780
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469840 NtDelayExecution,LdrInitializeThunk, 12_2_04469840
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469860 NtQuerySystemInformation,LdrInitializeThunk, 12_2_04469860
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_04469910
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044699A0 NtCreateSection,LdrInitializeThunk, 12_2_044699A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469A50 NtCreateFile,LdrInitializeThunk, 12_2_04469A50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469560 NtWriteFile, 12_2_04469560
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469520 NtWaitForSingleObject, 12_2_04469520
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0446AD30 NtSetContextThread, 12_2_0446AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044695F0 NtQueryInformationFile, 12_2_044695F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469670 NtQueryInformationProcess, 12_2_04469670
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469610 NtEnumerateValueKey, 12_2_04469610
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469760 NtOpenProcess, 12_2_04469760
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0446A770 NtOpenThread, 12_2_0446A770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469770 NtSetInformationFile, 12_2_04469770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0446A710 NtOpenProcessToken, 12_2_0446A710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469730 NtQueryVirtualMemory, 12_2_04469730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044697A0 NtUnmapViewOfSection, 12_2_044697A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0446B040 NtSuspendThread, 12_2_0446B040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469820 NtEnumerateKey, 12_2_04469820
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044698F0 NtReadVirtualMemory, 12_2_044698F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044698A0 NtWriteVirtualMemory, 12_2_044698A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469950 NtQueueApcThread, 12_2_04469950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044699D0 NtCreateProcessEx, 12_2_044699D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469A00 NtProtectVirtualMemory, 12_2_04469A00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469A10 NtQuerySection, 12_2_04469A10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469A20 NtResumeThread, 12_2_04469A20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469A80 NtOpenDirectoryObject, 12_2_04469A80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04469B00 NtSetValueKey, 12_2_04469B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0446A3B0 NtGetContextThread, 12_2_0446A3B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_004285E0 NtCreateFile, 12_2_004285E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00428690 NtReadFile, 12_2_00428690
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00428710 NtClose, 12_2_00428710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_004287C0 NtAllocateVirtualMemory, 12_2_004287C0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_004285DA NtCreateFile, 12_2_004285DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042868A NtReadFile, 12_2_0042868A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042870A NtClose, 12_2_0042870A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\idcqz.exe 9E398BB06FD1CBF54E40BFB36211CBD5C73AF57E652603C9B6A37A70DAB5AF4D
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Virustotal: Detection: 49%
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Jump to behavior
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idcqz.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idcqz.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe File created: C:\Users\user\AppData\Local\Temp\nsrF919.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404ABB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmstp.pdbGCTL source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: idcqz.exe, 00000003.00000003.380042603.000000001AEA0000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000003.00000003.379722541.000000001AD10000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe, 00000000.00000002.399346921.0000000000788000.00000004.00000001.01000000.00000003.sdmp, idcqz.exe, 00000003.00000002.384977536.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000003.00000000.375241960.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000004.00000002.465593311.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, cmstp.exe, 0000000C.00000002.658449919.0000000004937000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 0000000C.00000002.650828701.000000000072B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.640009311.00000000072C7000.00000004.80000000.00040000.00000000.sdmp, nsrF91A.tmp.0.dr, idcqz.exe.0.dr
Source: Binary string: wntdll.pdb source: idcqz.exe, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmstp.pdb source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A72445 push ecx; ret 3_2_00A72458
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041B822 push eax; ret 4_2_0041B828
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041B82B push eax; ret 4_2_0041B892
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041B88C push eax; ret 4_2_0041B892
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041BA41 push edi; ret 4_2_0041BD3C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00415387 push edi; ret 4_2_00415388
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041A4B1 push ecx; ret 4_2_0041A4B8
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041BD3D push edi; ret 4_2_0041BE9F
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0041B7D5 push eax; ret 4_2_0041B828
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A72445 push ecx; ret 4_2_00A72458
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014FD0D1 push ecx; ret 4_2_014FD0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0447D0D1 push ecx; ret 12_2_0447D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042B822 push eax; ret 12_2_0042B828
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042B82B push eax; ret 12_2_0042B892
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042B88C push eax; ret 12_2_0042B892
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042BA41 push edi; ret 12_2_0042BD3C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_00425387 push edi; ret 12_2_00425388
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042A4B1 push ecx; ret 12_2_0042A4B8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042BD3D push edi; ret 12_2_0042BE9F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0042B7D5 push eax; ret 12_2_0042B828
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe File created: C:\Users\user\AppData\Local\Temp\idcqz.exe Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A71890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00A71890
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000418604 second address: 000000000041860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 000000000041899E second address: 00000000004189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_004088D0 rdtsc 4_2_004088D0
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe API coverage: 5.1 %
Source: C:\Windows\SysWOW64\cmstp.exe API coverage: 8.9 %
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000017.00000003.615598802.0000000005D41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000007.00000000.409754141.00000000080FC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: |Prod_VMware_SATA)
Source: explorer.exe, 00000017.00000003.574130494.0000000006A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.444400997.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000017.00000003.574130494.0000000006A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X0
Source: explorer.exe, 00000017.00000003.615598802.0000000005D41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00~P
Source: explorer.exe, 00000017.00000000.637078790.0000000005A53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00pi
Source: explorer.exe, 00000017.00000003.614409453.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000017.00000000.604037925.0000000005AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000_8w
Source: explorer.exe, 00000017.00000000.572161050.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000017.00000000.620792466.0000000006991000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.392510923.00000000042EE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: explorer.exe, 00000017.00000003.614959896.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000s
Source: explorer.exe, 00000017.00000003.625577351.0000000005CBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.604037925.0000000005AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
Source: explorer.exe, 00000017.00000000.614314963.0000000005B73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_25
Source: explorer.exe, 00000017.00000000.622405781.00000000069C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000017.00000003.615003965.0000000005D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000017.00000003.614409453.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000003.625577351.0000000005CBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000017.00000000.572161050.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.622405781.00000000069C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000007.00000000.444601213.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000017.00000000.622818889.00000000069D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 00000017.00000000.637176584.0000000005A89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000J
Source: explorer.exe, 00000017.00000003.617081022.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
Source: explorer.exe, 00000007.00000000.436779605.00000000042A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Source: explorer.exe, 00000017.00000000.604037925.0000000005AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A77A95 IsDebuggerPresent, 3_2_00A77A95
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A7558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_00A7558A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A786ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 3_2_00A786ED
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_004088D0 rdtsc 4_2_004088D0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_018603F8 mov eax, dword ptr fs:[00000030h] 3_2_018603F8
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_01860736 mov eax, dword ptr fs:[00000030h] 3_2_01860736
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_01860772 mov eax, dword ptr fs:[00000030h] 3_2_01860772
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_018606F7 mov eax, dword ptr fs:[00000030h] 3_2_018606F7
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_0186061D mov eax, dword ptr fs:[00000030h] 3_2_0186061D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CB944 mov eax, dword ptr fs:[00000030h] 4_2_014CB944
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CB944 mov eax, dword ptr fs:[00000030h] 4_2_014CB944
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AC962 mov eax, dword ptr fs:[00000030h] 4_2_014AC962
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AB171 mov eax, dword ptr fs:[00000030h] 4_2_014AB171
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AB171 mov eax, dword ptr fs:[00000030h] 4_2_014AB171
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9100 mov eax, dword ptr fs:[00000030h] 4_2_014A9100
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9100 mov eax, dword ptr fs:[00000030h] 4_2_014A9100
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9100 mov eax, dword ptr fs:[00000030h] 4_2_014A9100
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C4120 mov eax, dword ptr fs:[00000030h] 4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C4120 mov eax, dword ptr fs:[00000030h] 4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C4120 mov eax, dword ptr fs:[00000030h] 4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C4120 mov eax, dword ptr fs:[00000030h] 4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C4120 mov ecx, dword ptr fs:[00000030h] 4_2_014C4120
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D513A mov eax, dword ptr fs:[00000030h] 4_2_014D513A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D513A mov eax, dword ptr fs:[00000030h] 4_2_014D513A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AB1E1 mov eax, dword ptr fs:[00000030h] 4_2_014AB1E1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AB1E1 mov eax, dword ptr fs:[00000030h] 4_2_014AB1E1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AB1E1 mov eax, dword ptr fs:[00000030h] 4_2_014AB1E1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015341E8 mov eax, dword ptr fs:[00000030h] 4_2_015341E8
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DA185 mov eax, dword ptr fs:[00000030h] 4_2_014DA185
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CC182 mov eax, dword ptr fs:[00000030h] 4_2_014CC182
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2990 mov eax, dword ptr fs:[00000030h] 4_2_014D2990
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015251BE mov eax, dword ptr fs:[00000030h] 4_2_015251BE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015251BE mov eax, dword ptr fs:[00000030h] 4_2_015251BE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015251BE mov eax, dword ptr fs:[00000030h] 4_2_015251BE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015251BE mov eax, dword ptr fs:[00000030h] 4_2_015251BE
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D61A0 mov eax, dword ptr fs:[00000030h] 4_2_014D61A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D61A0 mov eax, dword ptr fs:[00000030h] 4_2_014D61A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015649A4 mov eax, dword ptr fs:[00000030h] 4_2_015649A4
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015649A4 mov eax, dword ptr fs:[00000030h] 4_2_015649A4
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015649A4 mov eax, dword ptr fs:[00000030h] 4_2_015649A4
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015649A4 mov eax, dword ptr fs:[00000030h] 4_2_015649A4
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015269A6 mov eax, dword ptr fs:[00000030h] 4_2_015269A6
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C0050 mov eax, dword ptr fs:[00000030h] 4_2_014C0050
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C0050 mov eax, dword ptr fs:[00000030h] 4_2_014C0050
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01571074 mov eax, dword ptr fs:[00000030h] 4_2_01571074
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01562073 mov eax, dword ptr fs:[00000030h] 4_2_01562073
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01574015 mov eax, dword ptr fs:[00000030h] 4_2_01574015
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01574015 mov eax, dword ptr fs:[00000030h] 4_2_01574015
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01527016 mov eax, dword ptr fs:[00000030h] 4_2_01527016
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01527016 mov eax, dword ptr fs:[00000030h] 4_2_01527016
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01527016 mov eax, dword ptr fs:[00000030h] 4_2_01527016
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D002D mov eax, dword ptr fs:[00000030h] 4_2_014D002D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D002D mov eax, dword ptr fs:[00000030h] 4_2_014D002D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D002D mov eax, dword ptr fs:[00000030h] 4_2_014D002D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D002D mov eax, dword ptr fs:[00000030h] 4_2_014D002D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D002D mov eax, dword ptr fs:[00000030h] 4_2_014D002D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BB02A mov eax, dword ptr fs:[00000030h] 4_2_014BB02A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BB02A mov eax, dword ptr fs:[00000030h] 4_2_014BB02A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BB02A mov eax, dword ptr fs:[00000030h] 4_2_014BB02A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BB02A mov eax, dword ptr fs:[00000030h] 4_2_014BB02A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA830 mov eax, dword ptr fs:[00000030h] 4_2_014CA830
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA830 mov eax, dword ptr fs:[00000030h] 4_2_014CA830
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA830 mov eax, dword ptr fs:[00000030h] 4_2_014CA830
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA830 mov eax, dword ptr fs:[00000030h] 4_2_014CA830
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0153B8D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_0153B8D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0153B8D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0153B8D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0153B8D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0153B8D0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A58EC mov eax, dword ptr fs:[00000030h] 4_2_014A58EC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A40E1 mov eax, dword ptr fs:[00000030h] 4_2_014A40E1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A40E1 mov eax, dword ptr fs:[00000030h] 4_2_014A40E1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A40E1 mov eax, dword ptr fs:[00000030h] 4_2_014A40E1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9080 mov eax, dword ptr fs:[00000030h] 4_2_014A9080
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01523884 mov eax, dword ptr fs:[00000030h] 4_2_01523884
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01523884 mov eax, dword ptr fs:[00000030h] 4_2_01523884
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E90AF mov eax, dword ptr fs:[00000030h] 4_2_014E90AF
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 mov eax, dword ptr fs:[00000030h] 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 mov eax, dword ptr fs:[00000030h] 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 mov eax, dword ptr fs:[00000030h] 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 mov eax, dword ptr fs:[00000030h] 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 mov eax, dword ptr fs:[00000030h] 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D20A0 mov eax, dword ptr fs:[00000030h] 4_2_014D20A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DF0BF mov ecx, dword ptr fs:[00000030h] 4_2_014DF0BF
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DF0BF mov eax, dword ptr fs:[00000030h] 4_2_014DF0BF
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DF0BF mov eax, dword ptr fs:[00000030h] 4_2_014DF0BF
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014ADB40 mov eax, dword ptr fs:[00000030h] 4_2_014ADB40
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01578B58 mov eax, dword ptr fs:[00000030h] 4_2_01578B58
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AF358 mov eax, dword ptr fs:[00000030h] 4_2_014AF358
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014ADB60 mov ecx, dword ptr fs:[00000030h] 4_2_014ADB60
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D3B7A mov eax, dword ptr fs:[00000030h] 4_2_014D3B7A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D3B7A mov eax, dword ptr fs:[00000030h] 4_2_014D3B7A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156131B mov eax, dword ptr fs:[00000030h] 4_2_0156131B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015253CA mov eax, dword ptr fs:[00000030h] 4_2_015253CA
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015253CA mov eax, dword ptr fs:[00000030h] 4_2_015253CA
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CDBE9 mov eax, dword ptr fs:[00000030h] 4_2_014CDBE9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D03E2 mov eax, dword ptr fs:[00000030h] 4_2_014D03E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D03E2 mov eax, dword ptr fs:[00000030h] 4_2_014D03E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D03E2 mov eax, dword ptr fs:[00000030h] 4_2_014D03E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D03E2 mov eax, dword ptr fs:[00000030h] 4_2_014D03E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D03E2 mov eax, dword ptr fs:[00000030h] 4_2_014D03E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D03E2 mov eax, dword ptr fs:[00000030h] 4_2_014D03E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B1B8F mov eax, dword ptr fs:[00000030h] 4_2_014B1B8F
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B1B8F mov eax, dword ptr fs:[00000030h] 4_2_014B1B8F
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0155D380 mov ecx, dword ptr fs:[00000030h] 4_2_0155D380
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2397 mov eax, dword ptr fs:[00000030h] 4_2_014D2397
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156138A mov eax, dword ptr fs:[00000030h] 4_2_0156138A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DB390 mov eax, dword ptr fs:[00000030h] 4_2_014DB390
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D4BAD mov eax, dword ptr fs:[00000030h] 4_2_014D4BAD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D4BAD mov eax, dword ptr fs:[00000030h] 4_2_014D4BAD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D4BAD mov eax, dword ptr fs:[00000030h] 4_2_014D4BAD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01575BA5 mov eax, dword ptr fs:[00000030h] 4_2_01575BA5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156EA55 mov eax, dword ptr fs:[00000030h] 4_2_0156EA55
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01534257 mov eax, dword ptr fs:[00000030h] 4_2_01534257
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9240 mov eax, dword ptr fs:[00000030h] 4_2_014A9240
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9240 mov eax, dword ptr fs:[00000030h] 4_2_014A9240
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9240 mov eax, dword ptr fs:[00000030h] 4_2_014A9240
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A9240 mov eax, dword ptr fs:[00000030h] 4_2_014A9240
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E927A mov eax, dword ptr fs:[00000030h] 4_2_014E927A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0155B260 mov eax, dword ptr fs:[00000030h] 4_2_0155B260
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0155B260 mov eax, dword ptr fs:[00000030h] 4_2_0155B260
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01578A62 mov eax, dword ptr fs:[00000030h] 4_2_01578A62
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156AA16 mov eax, dword ptr fs:[00000030h] 4_2_0156AA16
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156AA16 mov eax, dword ptr fs:[00000030h] 4_2_0156AA16
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B8A0A mov eax, dword ptr fs:[00000030h] 4_2_014B8A0A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C3A1C mov eax, dword ptr fs:[00000030h] 4_2_014C3A1C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A5210 mov eax, dword ptr fs:[00000030h] 4_2_014A5210
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A5210 mov ecx, dword ptr fs:[00000030h] 4_2_014A5210
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A5210 mov eax, dword ptr fs:[00000030h] 4_2_014A5210
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A5210 mov eax, dword ptr fs:[00000030h] 4_2_014A5210
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AAA16 mov eax, dword ptr fs:[00000030h] 4_2_014AAA16
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AAA16 mov eax, dword ptr fs:[00000030h] 4_2_014AAA16
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E4A2C mov eax, dword ptr fs:[00000030h] 4_2_014E4A2C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E4A2C mov eax, dword ptr fs:[00000030h] 4_2_014E4A2C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CA229 mov eax, dword ptr fs:[00000030h] 4_2_014CA229
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2ACB mov eax, dword ptr fs:[00000030h] 4_2_014D2ACB
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2AE4 mov eax, dword ptr fs:[00000030h] 4_2_014D2AE4
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DD294 mov eax, dword ptr fs:[00000030h] 4_2_014DD294
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DD294 mov eax, dword ptr fs:[00000030h] 4_2_014DD294
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A52A5 mov eax, dword ptr fs:[00000030h] 4_2_014A52A5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A52A5 mov eax, dword ptr fs:[00000030h] 4_2_014A52A5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A52A5 mov eax, dword ptr fs:[00000030h] 4_2_014A52A5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A52A5 mov eax, dword ptr fs:[00000030h] 4_2_014A52A5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A52A5 mov eax, dword ptr fs:[00000030h] 4_2_014A52A5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BAAB0 mov eax, dword ptr fs:[00000030h] 4_2_014BAAB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BAAB0 mov eax, dword ptr fs:[00000030h] 4_2_014BAAB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DFAB0 mov eax, dword ptr fs:[00000030h] 4_2_014DFAB0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E3D43 mov eax, dword ptr fs:[00000030h] 4_2_014E3D43
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01523540 mov eax, dword ptr fs:[00000030h] 4_2_01523540
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01553D40 mov eax, dword ptr fs:[00000030h] 4_2_01553D40
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C7D50 mov eax, dword ptr fs:[00000030h] 4_2_014C7D50
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CC577 mov eax, dword ptr fs:[00000030h] 4_2_014CC577
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CC577 mov eax, dword ptr fs:[00000030h] 4_2_014CC577
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01578D34 mov eax, dword ptr fs:[00000030h] 4_2_01578D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0152A537 mov eax, dword ptr fs:[00000030h] 4_2_0152A537
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156E539 mov eax, dword ptr fs:[00000030h] 4_2_0156E539
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D4D3B mov eax, dword ptr fs:[00000030h] 4_2_014D4D3B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D4D3B mov eax, dword ptr fs:[00000030h] 4_2_014D4D3B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D4D3B mov eax, dword ptr fs:[00000030h] 4_2_014D4D3B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AAD30 mov eax, dword ptr fs:[00000030h] 4_2_014AAD30
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B3D34 mov eax, dword ptr fs:[00000030h] 4_2_014B3D34
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526DC9 mov eax, dword ptr fs:[00000030h] 4_2_01526DC9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526DC9 mov eax, dword ptr fs:[00000030h] 4_2_01526DC9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526DC9 mov eax, dword ptr fs:[00000030h] 4_2_01526DC9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526DC9 mov ecx, dword ptr fs:[00000030h] 4_2_01526DC9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526DC9 mov eax, dword ptr fs:[00000030h] 4_2_01526DC9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526DC9 mov eax, dword ptr fs:[00000030h] 4_2_01526DC9
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01558DF1 mov eax, dword ptr fs:[00000030h] 4_2_01558DF1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BD5E0 mov eax, dword ptr fs:[00000030h] 4_2_014BD5E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BD5E0 mov eax, dword ptr fs:[00000030h] 4_2_014BD5E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0156FDE2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0156FDE2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0156FDE2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0156FDE2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A2D8A mov eax, dword ptr fs:[00000030h] 4_2_014A2D8A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A2D8A mov eax, dword ptr fs:[00000030h] 4_2_014A2D8A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A2D8A mov eax, dword ptr fs:[00000030h] 4_2_014A2D8A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A2D8A mov eax, dword ptr fs:[00000030h] 4_2_014A2D8A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A2D8A mov eax, dword ptr fs:[00000030h] 4_2_014A2D8A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2581 mov eax, dword ptr fs:[00000030h] 4_2_014D2581
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2581 mov eax, dword ptr fs:[00000030h] 4_2_014D2581
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2581 mov eax, dword ptr fs:[00000030h] 4_2_014D2581
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D2581 mov eax, dword ptr fs:[00000030h] 4_2_014D2581
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DFD9B mov eax, dword ptr fs:[00000030h] 4_2_014DFD9B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DFD9B mov eax, dword ptr fs:[00000030h] 4_2_014DFD9B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D35A1 mov eax, dword ptr fs:[00000030h] 4_2_014D35A1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D1DB5 mov eax, dword ptr fs:[00000030h] 4_2_014D1DB5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D1DB5 mov eax, dword ptr fs:[00000030h] 4_2_014D1DB5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D1DB5 mov eax, dword ptr fs:[00000030h] 4_2_014D1DB5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015705AC mov eax, dword ptr fs:[00000030h] 4_2_015705AC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015705AC mov eax, dword ptr fs:[00000030h] 4_2_015705AC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153C450 mov eax, dword ptr fs:[00000030h] 4_2_0153C450
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153C450 mov eax, dword ptr fs:[00000030h] 4_2_0153C450
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DA44B mov eax, dword ptr fs:[00000030h] 4_2_014DA44B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014C746D mov eax, dword ptr fs:[00000030h] 4_2_014C746D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561C06 mov eax, dword ptr fs:[00000030h] 4_2_01561C06
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526C0A mov eax, dword ptr fs:[00000030h] 4_2_01526C0A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526C0A mov eax, dword ptr fs:[00000030h] 4_2_01526C0A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526C0A mov eax, dword ptr fs:[00000030h] 4_2_01526C0A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526C0A mov eax, dword ptr fs:[00000030h] 4_2_01526C0A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157740D mov eax, dword ptr fs:[00000030h] 4_2_0157740D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157740D mov eax, dword ptr fs:[00000030h] 4_2_0157740D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157740D mov eax, dword ptr fs:[00000030h] 4_2_0157740D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DBC2C mov eax, dword ptr fs:[00000030h] 4_2_014DBC2C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01578CD6 mov eax, dword ptr fs:[00000030h] 4_2_01578CD6
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526CF0 mov eax, dword ptr fs:[00000030h] 4_2_01526CF0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526CF0 mov eax, dword ptr fs:[00000030h] 4_2_01526CF0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01526CF0 mov eax, dword ptr fs:[00000030h] 4_2_01526CF0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015614FB mov eax, dword ptr fs:[00000030h] 4_2_015614FB
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B849B mov eax, dword ptr fs:[00000030h] 4_2_014B849B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BEF40 mov eax, dword ptr fs:[00000030h] 4_2_014BEF40
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014BFF60 mov eax, dword ptr fs:[00000030h] 4_2_014BFF60
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01578F6A mov eax, dword ptr fs:[00000030h] 4_2_01578F6A
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153FF10 mov eax, dword ptr fs:[00000030h] 4_2_0153FF10
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153FF10 mov eax, dword ptr fs:[00000030h] 4_2_0153FF10
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DA70E mov eax, dword ptr fs:[00000030h] 4_2_014DA70E
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DA70E mov eax, dword ptr fs:[00000030h] 4_2_014DA70E
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157070D mov eax, dword ptr fs:[00000030h] 4_2_0157070D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0157070D mov eax, dword ptr fs:[00000030h] 4_2_0157070D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CF716 mov eax, dword ptr fs:[00000030h] 4_2_014CF716
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A4F2E mov eax, dword ptr fs:[00000030h] 4_2_014A4F2E
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014A4F2E mov eax, dword ptr fs:[00000030h] 4_2_014A4F2E
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DE730 mov eax, dword ptr fs:[00000030h] 4_2_014DE730
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E37F5 mov eax, dword ptr fs:[00000030h] 4_2_014E37F5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01527794 mov eax, dword ptr fs:[00000030h] 4_2_01527794
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01527794 mov eax, dword ptr fs:[00000030h] 4_2_01527794
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01527794 mov eax, dword ptr fs:[00000030h] 4_2_01527794
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B8794 mov eax, dword ptr fs:[00000030h] 4_2_014B8794
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B7E41 mov eax, dword ptr fs:[00000030h] 4_2_014B7E41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B7E41 mov eax, dword ptr fs:[00000030h] 4_2_014B7E41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B7E41 mov eax, dword ptr fs:[00000030h] 4_2_014B7E41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B7E41 mov eax, dword ptr fs:[00000030h] 4_2_014B7E41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B7E41 mov eax, dword ptr fs:[00000030h] 4_2_014B7E41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B7E41 mov eax, dword ptr fs:[00000030h] 4_2_014B7E41
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156AE44 mov eax, dword ptr fs:[00000030h] 4_2_0156AE44
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0156AE44 mov eax, dword ptr fs:[00000030h] 4_2_0156AE44
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B766D mov eax, dword ptr fs:[00000030h] 4_2_014B766D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CAE73 mov eax, dword ptr fs:[00000030h] 4_2_014CAE73
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CAE73 mov eax, dword ptr fs:[00000030h] 4_2_014CAE73
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CAE73 mov eax, dword ptr fs:[00000030h] 4_2_014CAE73
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CAE73 mov eax, dword ptr fs:[00000030h] 4_2_014CAE73
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014CAE73 mov eax, dword ptr fs:[00000030h] 4_2_014CAE73
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AC600 mov eax, dword ptr fs:[00000030h] 4_2_014AC600
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AC600 mov eax, dword ptr fs:[00000030h] 4_2_014AC600
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AC600 mov eax, dword ptr fs:[00000030h] 4_2_014AC600
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D8E00 mov eax, dword ptr fs:[00000030h] 4_2_014D8E00
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DA61C mov eax, dword ptr fs:[00000030h] 4_2_014DA61C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014DA61C mov eax, dword ptr fs:[00000030h] 4_2_014DA61C
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01561608 mov eax, dword ptr fs:[00000030h] 4_2_01561608
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0155FE3F mov eax, dword ptr fs:[00000030h] 4_2_0155FE3F
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014AE620 mov eax, dword ptr fs:[00000030h] 4_2_014AE620
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01578ED6 mov eax, dword ptr fs:[00000030h] 4_2_01578ED6
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D36CC mov eax, dword ptr fs:[00000030h] 4_2_014D36CC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014E8EC7 mov eax, dword ptr fs:[00000030h] 4_2_014E8EC7
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0155FEC0 mov eax, dword ptr fs:[00000030h] 4_2_0155FEC0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014B76E2 mov eax, dword ptr fs:[00000030h] 4_2_014B76E2
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_014D16E0 mov ecx, dword ptr fs:[00000030h] 4_2_014D16E0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_0153FE87 mov eax, dword ptr fs:[00000030h] 4_2_0153FE87
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01570EA5 mov eax, dword ptr fs:[00000030h] 4_2_01570EA5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01570EA5 mov eax, dword ptr fs:[00000030h] 4_2_01570EA5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_01570EA5 mov eax, dword ptr fs:[00000030h] 4_2_01570EA5
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_015246A7 mov eax, dword ptr fs:[00000030h] 4_2_015246A7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445A44B mov eax, dword ptr fs:[00000030h] 12_2_0445A44B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BC450 mov eax, dword ptr fs:[00000030h] 12_2_044BC450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BC450 mov eax, dword ptr fs:[00000030h] 12_2_044BC450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444746D mov eax, dword ptr fs:[00000030h] 12_2_0444746D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6C0A mov eax, dword ptr fs:[00000030h] 12_2_044A6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6C0A mov eax, dword ptr fs:[00000030h] 12_2_044A6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6C0A mov eax, dword ptr fs:[00000030h] 12_2_044A6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6C0A mov eax, dword ptr fs:[00000030h] 12_2_044A6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F740D mov eax, dword ptr fs:[00000030h] 12_2_044F740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F740D mov eax, dword ptr fs:[00000030h] 12_2_044F740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F740D mov eax, dword ptr fs:[00000030h] 12_2_044F740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1C06 mov eax, dword ptr fs:[00000030h] 12_2_044E1C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445BC2C mov eax, dword ptr fs:[00000030h] 12_2_0445BC2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F8CD6 mov eax, dword ptr fs:[00000030h] 12_2_044F8CD6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E14FB mov eax, dword ptr fs:[00000030h] 12_2_044E14FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6CF0 mov eax, dword ptr fs:[00000030h] 12_2_044A6CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6CF0 mov eax, dword ptr fs:[00000030h] 12_2_044A6CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6CF0 mov eax, dword ptr fs:[00000030h] 12_2_044A6CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443849B mov eax, dword ptr fs:[00000030h] 12_2_0443849B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04463D43 mov eax, dword ptr fs:[00000030h] 12_2_04463D43
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A3540 mov eax, dword ptr fs:[00000030h] 12_2_044A3540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044D3D40 mov eax, dword ptr fs:[00000030h] 12_2_044D3D40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04447D50 mov eax, dword ptr fs:[00000030h] 12_2_04447D50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444C577 mov eax, dword ptr fs:[00000030h] 12_2_0444C577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444C577 mov eax, dword ptr fs:[00000030h] 12_2_0444C577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442AD30 mov eax, dword ptr fs:[00000030h] 12_2_0442AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04433D34 mov eax, dword ptr fs:[00000030h] 12_2_04433D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EE539 mov eax, dword ptr fs:[00000030h] 12_2_044EE539
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F8D34 mov eax, dword ptr fs:[00000030h] 12_2_044F8D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044AA537 mov eax, dword ptr fs:[00000030h] 12_2_044AA537
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04454D3B mov eax, dword ptr fs:[00000030h] 12_2_04454D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04454D3B mov eax, dword ptr fs:[00000030h] 12_2_04454D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04454D3B mov eax, dword ptr fs:[00000030h] 12_2_04454D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6DC9 mov eax, dword ptr fs:[00000030h] 12_2_044A6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6DC9 mov eax, dword ptr fs:[00000030h] 12_2_044A6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6DC9 mov eax, dword ptr fs:[00000030h] 12_2_044A6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6DC9 mov ecx, dword ptr fs:[00000030h] 12_2_044A6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6DC9 mov eax, dword ptr fs:[00000030h] 12_2_044A6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A6DC9 mov eax, dword ptr fs:[00000030h] 12_2_044A6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443D5E0 mov eax, dword ptr fs:[00000030h] 12_2_0443D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443D5E0 mov eax, dword ptr fs:[00000030h] 12_2_0443D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EFDE2 mov eax, dword ptr fs:[00000030h] 12_2_044EFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EFDE2 mov eax, dword ptr fs:[00000030h] 12_2_044EFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EFDE2 mov eax, dword ptr fs:[00000030h] 12_2_044EFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EFDE2 mov eax, dword ptr fs:[00000030h] 12_2_044EFDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044D8DF1 mov eax, dword ptr fs:[00000030h] 12_2_044D8DF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04452581 mov eax, dword ptr fs:[00000030h] 12_2_04452581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04452581 mov eax, dword ptr fs:[00000030h] 12_2_04452581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04452581 mov eax, dword ptr fs:[00000030h] 12_2_04452581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04452581 mov eax, dword ptr fs:[00000030h] 12_2_04452581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04422D8A mov eax, dword ptr fs:[00000030h] 12_2_04422D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04422D8A mov eax, dword ptr fs:[00000030h] 12_2_04422D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04422D8A mov eax, dword ptr fs:[00000030h] 12_2_04422D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04422D8A mov eax, dword ptr fs:[00000030h] 12_2_04422D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04422D8A mov eax, dword ptr fs:[00000030h] 12_2_04422D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445FD9B mov eax, dword ptr fs:[00000030h] 12_2_0445FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445FD9B mov eax, dword ptr fs:[00000030h] 12_2_0445FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F05AC mov eax, dword ptr fs:[00000030h] 12_2_044F05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F05AC mov eax, dword ptr fs:[00000030h] 12_2_044F05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044535A1 mov eax, dword ptr fs:[00000030h] 12_2_044535A1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04451DB5 mov eax, dword ptr fs:[00000030h] 12_2_04451DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04451DB5 mov eax, dword ptr fs:[00000030h] 12_2_04451DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04451DB5 mov eax, dword ptr fs:[00000030h] 12_2_04451DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04437E41 mov eax, dword ptr fs:[00000030h] 12_2_04437E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04437E41 mov eax, dword ptr fs:[00000030h] 12_2_04437E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04437E41 mov eax, dword ptr fs:[00000030h] 12_2_04437E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04437E41 mov eax, dword ptr fs:[00000030h] 12_2_04437E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04437E41 mov eax, dword ptr fs:[00000030h] 12_2_04437E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04437E41 mov eax, dword ptr fs:[00000030h] 12_2_04437E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EAE44 mov eax, dword ptr fs:[00000030h] 12_2_044EAE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044EAE44 mov eax, dword ptr fs:[00000030h] 12_2_044EAE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443766D mov eax, dword ptr fs:[00000030h] 12_2_0443766D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444AE73 mov eax, dword ptr fs:[00000030h] 12_2_0444AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444AE73 mov eax, dword ptr fs:[00000030h] 12_2_0444AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444AE73 mov eax, dword ptr fs:[00000030h] 12_2_0444AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444AE73 mov eax, dword ptr fs:[00000030h] 12_2_0444AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444AE73 mov eax, dword ptr fs:[00000030h] 12_2_0444AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442C600 mov eax, dword ptr fs:[00000030h] 12_2_0442C600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442C600 mov eax, dword ptr fs:[00000030h] 12_2_0442C600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442C600 mov eax, dword ptr fs:[00000030h] 12_2_0442C600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04458E00 mov eax, dword ptr fs:[00000030h] 12_2_04458E00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E1608 mov eax, dword ptr fs:[00000030h] 12_2_044E1608
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445A61C mov eax, dword ptr fs:[00000030h] 12_2_0445A61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445A61C mov eax, dword ptr fs:[00000030h] 12_2_0445A61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442E620 mov eax, dword ptr fs:[00000030h] 12_2_0442E620
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044DFE3F mov eax, dword ptr fs:[00000030h] 12_2_044DFE3F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04468EC7 mov eax, dword ptr fs:[00000030h] 12_2_04468EC7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044536CC mov eax, dword ptr fs:[00000030h] 12_2_044536CC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044DFEC0 mov eax, dword ptr fs:[00000030h] 12_2_044DFEC0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F8ED6 mov eax, dword ptr fs:[00000030h] 12_2_044F8ED6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044376E2 mov eax, dword ptr fs:[00000030h] 12_2_044376E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044516E0 mov ecx, dword ptr fs:[00000030h] 12_2_044516E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BFE87 mov eax, dword ptr fs:[00000030h] 12_2_044BFE87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F0EA5 mov eax, dword ptr fs:[00000030h] 12_2_044F0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F0EA5 mov eax, dword ptr fs:[00000030h] 12_2_044F0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F0EA5 mov eax, dword ptr fs:[00000030h] 12_2_044F0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A46A7 mov eax, dword ptr fs:[00000030h] 12_2_044A46A7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443EF40 mov eax, dword ptr fs:[00000030h] 12_2_0443EF40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443FF60 mov eax, dword ptr fs:[00000030h] 12_2_0443FF60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F8F6A mov eax, dword ptr fs:[00000030h] 12_2_044F8F6A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F070D mov eax, dword ptr fs:[00000030h] 12_2_044F070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F070D mov eax, dword ptr fs:[00000030h] 12_2_044F070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445A70E mov eax, dword ptr fs:[00000030h] 12_2_0445A70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445A70E mov eax, dword ptr fs:[00000030h] 12_2_0445A70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444F716 mov eax, dword ptr fs:[00000030h] 12_2_0444F716
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BFF10 mov eax, dword ptr fs:[00000030h] 12_2_044BFF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BFF10 mov eax, dword ptr fs:[00000030h] 12_2_044BFF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04424F2E mov eax, dword ptr fs:[00000030h] 12_2_04424F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04424F2E mov eax, dword ptr fs:[00000030h] 12_2_04424F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445E730 mov eax, dword ptr fs:[00000030h] 12_2_0445E730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044637F5 mov eax, dword ptr fs:[00000030h] 12_2_044637F5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04438794 mov eax, dword ptr fs:[00000030h] 12_2_04438794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A7794 mov eax, dword ptr fs:[00000030h] 12_2_044A7794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A7794 mov eax, dword ptr fs:[00000030h] 12_2_044A7794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A7794 mov eax, dword ptr fs:[00000030h] 12_2_044A7794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04440050 mov eax, dword ptr fs:[00000030h] 12_2_04440050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04440050 mov eax, dword ptr fs:[00000030h] 12_2_04440050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F1074 mov eax, dword ptr fs:[00000030h] 12_2_044F1074
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044E2073 mov eax, dword ptr fs:[00000030h] 12_2_044E2073
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F4015 mov eax, dword ptr fs:[00000030h] 12_2_044F4015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044F4015 mov eax, dword ptr fs:[00000030h] 12_2_044F4015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A7016 mov eax, dword ptr fs:[00000030h] 12_2_044A7016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A7016 mov eax, dword ptr fs:[00000030h] 12_2_044A7016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A7016 mov eax, dword ptr fs:[00000030h] 12_2_044A7016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445002D mov eax, dword ptr fs:[00000030h] 12_2_0445002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445002D mov eax, dword ptr fs:[00000030h] 12_2_0445002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445002D mov eax, dword ptr fs:[00000030h] 12_2_0445002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445002D mov eax, dword ptr fs:[00000030h] 12_2_0445002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445002D mov eax, dword ptr fs:[00000030h] 12_2_0445002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443B02A mov eax, dword ptr fs:[00000030h] 12_2_0443B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443B02A mov eax, dword ptr fs:[00000030h] 12_2_0443B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443B02A mov eax, dword ptr fs:[00000030h] 12_2_0443B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0443B02A mov eax, dword ptr fs:[00000030h] 12_2_0443B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444A830 mov eax, dword ptr fs:[00000030h] 12_2_0444A830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444A830 mov eax, dword ptr fs:[00000030h] 12_2_0444A830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444A830 mov eax, dword ptr fs:[00000030h] 12_2_0444A830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444A830 mov eax, dword ptr fs:[00000030h] 12_2_0444A830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 12_2_044BB8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BB8D0 mov ecx, dword ptr fs:[00000030h] 12_2_044BB8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 12_2_044BB8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 12_2_044BB8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 12_2_044BB8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 12_2_044BB8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044240E1 mov eax, dword ptr fs:[00000030h] 12_2_044240E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044240E1 mov eax, dword ptr fs:[00000030h] 12_2_044240E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044240E1 mov eax, dword ptr fs:[00000030h] 12_2_044240E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044258EC mov eax, dword ptr fs:[00000030h] 12_2_044258EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04429080 mov eax, dword ptr fs:[00000030h] 12_2_04429080
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A3884 mov eax, dword ptr fs:[00000030h] 12_2_044A3884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044A3884 mov eax, dword ptr fs:[00000030h] 12_2_044A3884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 mov eax, dword ptr fs:[00000030h] 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 mov eax, dword ptr fs:[00000030h] 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 mov eax, dword ptr fs:[00000030h] 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 mov eax, dword ptr fs:[00000030h] 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 mov eax, dword ptr fs:[00000030h] 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044520A0 mov eax, dword ptr fs:[00000030h] 12_2_044520A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044690AF mov eax, dword ptr fs:[00000030h] 12_2_044690AF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445F0BF mov ecx, dword ptr fs:[00000030h] 12_2_0445F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445F0BF mov eax, dword ptr fs:[00000030h] 12_2_0445F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445F0BF mov eax, dword ptr fs:[00000030h] 12_2_0445F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444B944 mov eax, dword ptr fs:[00000030h] 12_2_0444B944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444B944 mov eax, dword ptr fs:[00000030h] 12_2_0444B944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442C962 mov eax, dword ptr fs:[00000030h] 12_2_0442C962
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442B171 mov eax, dword ptr fs:[00000030h] 12_2_0442B171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442B171 mov eax, dword ptr fs:[00000030h] 12_2_0442B171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04429100 mov eax, dword ptr fs:[00000030h] 12_2_04429100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04429100 mov eax, dword ptr fs:[00000030h] 12_2_04429100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04429100 mov eax, dword ptr fs:[00000030h] 12_2_04429100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04444120 mov eax, dword ptr fs:[00000030h] 12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04444120 mov eax, dword ptr fs:[00000030h] 12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04444120 mov eax, dword ptr fs:[00000030h] 12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04444120 mov eax, dword ptr fs:[00000030h] 12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04444120 mov ecx, dword ptr fs:[00000030h] 12_2_04444120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445513A mov eax, dword ptr fs:[00000030h] 12_2_0445513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445513A mov eax, dword ptr fs:[00000030h] 12_2_0445513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044B41E8 mov eax, dword ptr fs:[00000030h] 12_2_044B41E8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442B1E1 mov eax, dword ptr fs:[00000030h] 12_2_0442B1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442B1E1 mov eax, dword ptr fs:[00000030h] 12_2_0442B1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0442B1E1 mov eax, dword ptr fs:[00000030h] 12_2_0442B1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0445A185 mov eax, dword ptr fs:[00000030h] 12_2_0445A185
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_0444C182 mov eax, dword ptr fs:[00000030h] 12_2_0444C182
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_04452990 mov eax, dword ptr fs:[00000030h] 12_2_04452990
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 12_2_044561A0 mov eax, dword ptr fs:[00000030h] 12_2_044561A0
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00409B40 LdrLoadDll, 4_2_00409B40
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A7439B SetUnhandledExceptionFilter, 3_2_00A7439B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A743CC
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A7439B SetUnhandledExceptionFilter, 4_2_00A7439B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 4_2_00A743CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00A743CC

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 8B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Memory written: C:\Users\user\AppData\Local\Temp\idcqz.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 6668 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idcqz.exe" Jump to behavior
Source: explorer.exe, 00000007.00000000.498037849.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.416908474.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.438469254.00000000058B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.416812056.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.390826076.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.417106058.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000017.00000003.599213825.000000000460E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.601470496.000000000460E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.574708182.000000000460E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanMicrosof
Source: explorer.exe, 00000007.00000000.390826076.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.417106058.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.435213624.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.390826076.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.417106058.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.435213624.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A73283 cpuid 3_2_00A73283
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe Code function: 3_2_00A73EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00A73EC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 00000017.00000000.637078790.0000000005A53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626277 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 SecuriteInfo.com.Variant.Jaik.72878.26055.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\idcqz.exe, PE32 11->31 dropped 14 idcqz.exe 11->14         started        process5 signatures6 55 Multi AV Scanner detection for dropped file 14->55 57 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->57 59 Tries to detect virtualization through RDTSC time measurements 14->59 61 Injects a PE file into a foreign processes 14->61 17 idcqz.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Sample uses process hollowing technique 17->37 39 Queues an APC in another process (thread injection) 17->39 20 explorer.exe 17->20 injected process9 process10 22 cmstp.exe 20->22         started        signatures11 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        27 explorer.exe 1 150 22->27         started        process12 process13 29 conhost.exe 25->29         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.cortesdisenosroutercnc.com/itq4/ true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 low