Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.26055.480

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Jaik.72878.26055.480 (renamed file extension from 480 to exe)
Analysis ID:626277
MD5:029bbe98a216416eb698ca543a5c0830
SHA1:a24173f1daf45d7444e3c698c3ae09a540a818dd
SHA256:e73b7de772353638addd480041e90a67f27d8d5b087bf222b1c6649c54b9cc57
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • SecuriteInfo.com.Variant.Jaik.72878.26055.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exe" MD5: 029BBE98A216416EB698CA543A5C0830)
    • idcqz.exe (PID: 5444 cmdline: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab MD5: 51F62DEF6DC686B87CC0BAFC31685546)
      • idcqz.exe (PID: 5408 cmdline: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab MD5: 51F62DEF6DC686B87CC0BAFC31685546)
        • explorer.exe (PID: 3688 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmstp.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
            • cmd.exe (PID: 3252 cmdline: /c del "C:\Users\user\AppData\Local\Temp\idcqz.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 6668 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup
{"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries
      SourceRuleDescriptionAuthorStrings
      4.2.idcqz.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.idcqz.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.idcqz.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        4.0.idcqz.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.idcqz.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeVirustotal: Detection: 49%Perma Link
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeReversingLabs: Detection: 51%
          Source: Yara matchFile source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: www.cortesdisenosroutercnc.com/itq4/Avira URL Cloud: Label: malware
          Source: www.cortesdisenosroutercnc.com/itq4/Virustotal: Detection: 9%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeVirustotal: Detection: 14%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeReversingLabs: Detection: 21%
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeJoe Sandbox ML: detected
          Source: 4.2.idcqz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.idcqz.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.idcqz.exe.1870000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.idcqz.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.idcqz.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: idcqz.exe, 00000003.00000003.380042603.000000001AEA0000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000003.00000003.379722541.000000001AD10000.00000004.00001000.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: SecuriteInfo.com.Variant.Jaik.72878.26055.exe, 00000000.00000002.399346921.0000000000788000.00000004.00000001.01000000.00000003.sdmp, idcqz.exe, 00000003.00000002.384977536.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000003.00000000.375241960.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, idcqz.exe, 00000004.00000002.465593311.0000000000A7E000.00000002.00000001.01000000.00000006.sdmp, cmstp.exe, 0000000C.00000002.658449919.0000000004937000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 0000000C.00000002.650828701.000000000072B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.640009311.00000000072C7000.00000004.80000000.00040000.00000000.sdmp, nsrF91A.tmp.0.dr, idcqz.exe.0.dr
          Source: Binary string: wntdll.pdb source: idcqz.exe, idcqz.exe, 00000004.00000003.384802429.0000000001151000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000003.387064387.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.465859407.0000000001480000.00000040.00000800.00020000.00000000.sdmp, idcqz.exe, 00000004.00000002.466270888.000000000159F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000C.00000003.465569389.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000003.467369844.000000000426A000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.656523935.000000000451F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 0000000C.00000002.651910210.0000000004400000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: idcqz.exe, 00000004.00000002.468367240.0000000003340000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4x nop then pop edi4_2_0040C400
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi12_2_0041C400

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.cortesdisenosroutercnc.com/itq4/
          Source: explorer.exe, 00000017.00000003.623277440.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.627859968.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.616313206.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.618394184.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.624564118.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.618207201.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.617363811.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.614448427.0000000005CD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.638582873.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.615626690.0000000005D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.614959896.0000000005CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: SecuriteInfo.com.Variant.Jaik.72878.26055.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.idcqz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.idcqz.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.idcqz.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.idcqz.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.idcqz.exe.1870000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.idcqz.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.idcqz.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.idcqz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.idcqz.exe.1870000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.649764201.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.385147934.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.465827211.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.650352103.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.383459730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.453411186.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.650320550.0000000000680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.465393336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.429389252.000000000F07E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.382002117.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.467817917.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.26055.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A718903_2_00A71890
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A796A03_2_00A796A0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A77E883_2_00A77E88
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A79C123_2_00A79C12
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A7C3BD3_2_00A7C3BD
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A7A1843_2_00A7A184
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_00A7B3F13_2_00A7B3F1
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 3_2_01860A563_2_01860A56
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_004010264_2_00401026
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0041BA414_2_0041BA41
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0041D3454_2_0041D345
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00408C7B4_2_00408C7B
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0041C4054_2_0041C405
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00408C804_2_00408C80
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00402D884_2_00402D88
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0041CFD54_2_0041CFD5
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A718904_2_00A71890
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A7A1844_2_00A7A184
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A7C3BD4_2_00A7C3BD
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A7B3F14_2_00A7B3F1
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A79C124_2_00A79C12
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A796A04_2_00A796A0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00A77E884_2_00A77E88
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014AF9004_2_014AF900
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014C41204_2_014C4120
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_015610024_2_01561002
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0157E8244_2_0157E824
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014CA8304_2_014CA830
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_015728EC4_2_015728EC
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014BB0904_2_014BB090
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014D20A04_2_014D20A0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_015720A84_2_015720A8
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014CAB404_2_014CAB40
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_01572B284_2_01572B28
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0156DBD24_2_0156DBD2
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_015603DA4_2_015603DA
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014DEBB04_2_014DEBB0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0155FA2B4_2_0155FA2B
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_015722AE4_2_015722AE
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_01571D554_2_01571D55
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_01572D074_2_01572D07
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014A0D204_2_014A0D20
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_015725DD4_2_015725DD
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014BD5E04_2_014BD5E0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014D25814_2_014D2581
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0156D4664_2_0156D466
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014B841F4_2_014B841F
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0157DFCE4_2_0157DFCE
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_01571FF14_2_01571FF1
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0156D6164_2_0156D616
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014C6E304_2_014C6E30
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_01572EF74_2_01572EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044ED46612_2_044ED466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0443841F12_2_0443841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F1D5512_2_044F1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F2D0712_2_044F2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04420D2012_2_04420D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F25DD12_2_044F25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0443D5E012_2_0443D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0445258112_2_04452581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044ED61612_2_044ED616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04446E3012_2_04446E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F2EF712_2_044F2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044FDFCE12_2_044FDFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F1FF112_2_044F1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044E100212_2_044E1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044FE82412_2_044FE824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0444A83012_2_0444A830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F28EC12_2_044F28EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0443B09012_2_0443B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044520A012_2_044520A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F20A812_2_044F20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0442F90012_2_0442F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0444412012_2_04444120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044DFA2B12_2_044DFA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F22AE12_2_044F22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0444AB4012_2_0444AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044F2B2812_2_044F2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044E03DA12_2_044E03DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044EDBD212_2_044EDBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0445EBB012_2_0445EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0042BA4112_2_0042BA41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0042D34512_2_0042D345
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00418C7B12_2_00418C7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0042C40512_2_0042C405
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00418C8012_2_00418C80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00412D8812_2_00412D88
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00412D9012_2_00412D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0042CFD512_2_0042CFD5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00412FB012_2_00412FB0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: String function: 00A74599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: String function: 00A72400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: String function: 014AB150 appears 54 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0442B150 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_004185E0 NtCreateFile,4_2_004185E0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00418690 NtReadFile,4_2_00418690
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_00418710 NtClose,4_2_00418710
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_004187C0 NtAllocateVirtualMemory,4_2_004187C0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_004185DA NtCreateFile,4_2_004185DA
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0041868A NtReadFile,4_2_0041868A
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_0041870A NtClose,4_2_0041870A
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_014E9910
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E99A0 NtCreateSection,LdrInitializeThunk,4_2_014E99A0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9840 NtDelayExecution,LdrInitializeThunk,4_2_014E9840
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_014E9860
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_014E98F0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9A50 NtCreateFile,LdrInitializeThunk,4_2_014E9A50
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_014E9A00
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9A20 NtResumeThread,LdrInitializeThunk,4_2_014E9A20
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9540 NtReadFile,LdrInitializeThunk,4_2_014E9540
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E95D0 NtClose,LdrInitializeThunk,4_2_014E95D0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9710 NtQueryInformationToken,LdrInitializeThunk,4_2_014E9710
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9FE0 NtCreateMutant,LdrInitializeThunk,4_2_014E9FE0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9780 NtMapViewOfSection,LdrInitializeThunk,4_2_014E9780
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_014E97A0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_014E9660
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_014E96E0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9950 NtQueueApcThread,4_2_014E9950
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E99D0 NtCreateProcessEx,4_2_014E99D0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014EB040 NtSuspendThread,4_2_014EB040
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9820 NtEnumerateKey,4_2_014E9820
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E98A0 NtWriteVirtualMemory,4_2_014E98A0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9B00 NtSetValueKey,4_2_014E9B00
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014EA3B0 NtGetContextThread,4_2_014EA3B0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9A10 NtQuerySection,4_2_014E9A10
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9A80 NtOpenDirectoryObject,4_2_014E9A80
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9560 NtWriteFile,4_2_014E9560
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9520 NtWaitForSingleObject,4_2_014E9520
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014EAD30 NtSetContextThread,4_2_014EAD30
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E95F0 NtQueryInformationFile,4_2_014E95F0
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9760 NtOpenProcess,4_2_014E9760
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014EA770 NtOpenThread,4_2_014EA770
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9770 NtSetInformationFile,4_2_014E9770
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014EA710 NtOpenProcessToken,4_2_014EA710
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9730 NtQueryVirtualMemory,4_2_014E9730
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9650 NtQueryValueKey,4_2_014E9650
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9670 NtQueryInformationProcess,4_2_014E9670
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E9610 NtEnumerateValueKey,4_2_014E9610
          Source: C:\Users\user\AppData\Local\Temp\idcqz.exeCode function: 4_2_014E96D0 NtCreateKey,4_2_014E96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469540 NtReadFile,LdrInitializeThunk,12_2_04469540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044695D0 NtClose,LdrInitializeThunk,12_2_044695D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469650 NtQueryValueKey,LdrInitializeThunk,12_2_04469650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04469660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044696D0 NtCreateKey,LdrInitializeThunk,12_2_044696D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_044696E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469710 NtQueryInformationToken,LdrInitializeThunk,12_2_04469710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469FE0 NtCreateMutant,LdrInitializeThunk,12_2_04469FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469780 NtMapViewOfSection,LdrInitializeThunk,12_2_04469780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469840 NtDelayExecution,LdrInitializeThunk,12_2_04469840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04469860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04469910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044699A0 NtCreateSection,LdrInitializeThunk,12_2_044699A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469A50 NtCreateFile,LdrInitializeThunk,12_2_04469A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469560 NtWriteFile,12_2_04469560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469520 NtWaitForSingleObject,12_2_04469520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0446AD30 NtSetContextThread,12_2_0446AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044695F0 NtQueryInformationFile,12_2_044695F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469670 NtQueryInformationProcess,12_2_04469670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469610 NtEnumerateValueKey,12_2_04469610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469760 NtOpenProcess,12_2_04469760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0446A770 NtOpenThread,12_2_0446A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469770 NtSetInformationFile,12_2_04469770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0446A710 NtOpenProcessToken,12_2_0446A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469730 NtQueryVirtualMemory,12_2_04469730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044697A0 NtUnmapViewOfSection,12_2_044697A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0446B040 NtSuspendThread,12_2_0446B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469820 NtEnumerateKey,12_2_04469820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044698F0 NtReadVirtualMemory,12_2_044698F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044698A0 NtWriteVirtualMemory,12_2_044698A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469950 NtQueueApcThread,12_2_04469950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_044699D0 NtCreateProcessEx,12_2_044699D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469A00 NtProtectVirtualMemory,12_2_04469A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469A10 NtQuerySection,12_2_04469A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469A20 NtResumeThread,12_2_04469A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469A80 NtOpenDirectoryObject,12_2_04469A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_04469B00 NtSetValueKey,12_2_04469B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0446A3B0 NtGetContextThread,12_2_0446A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_004285E0 NtCreateFile,12_2_004285E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00428690 NtReadFile,12_2_00428690
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_00428710 NtClose,12_2_00428710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_004287C0 NtAllocateVirtualMemory,12_2_004287C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_004285DA NtCreateFile,12_2_004285DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0042868A NtReadFile,12_2_0042868A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 12_2_0042870A NtClos<