Analysis Report dNeoJAgJU5

Overview

General Information

Sample Name: dNeoJAgJU5 (renamed file extension from none to exe)
Analysis ID: 433079
MD5: d2a8ef4a18e3c6dc377daf765b37a9ca
SHA1: 7c6bcb0d6e1528af56b888657a26c186c818493b
SHA256: 931959c2c56185581ab2639948e3e207c5cb3c1e1c0225567c31f03a5b39e65d
Tags: exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe ReversingLabs: Detection: 58%
Multi AV Scanner detection for submitted file
Source: dNeoJAgJU5.exe Virustotal: Detection: 50% Perma Link
Source: dNeoJAgJU5.exe Metadefender: Detection: 25% Perma Link
Source: dNeoJAgJU5.exe ReversingLabs: Detection: 58%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: dNeoJAgJU5.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: dNeoJAgJU5.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: dNeoJAgJU5.exe, 0000000E.00000002.847661435.0000000000F20000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.910826461.0000000005040000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: dNeoJAgJU5.exe, msdt.exe
Source: Binary string: msdt.pdb source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 1_2_0070EB58
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 4x nop then pop esi 14_2_004172E4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 4x nop then pop edi 14_2_00417D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop esi 17_2_00EB72E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 17_2_00EB7D55

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.bucksnortneola.com/gw2/
Source: dNeoJAgJU5.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: dNeoJAgJU5.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: dNeoJAgJU5.exe String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: dNeoJAgJU5.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: dNeoJAgJU5.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: dNeoJAgJU5.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: dNeoJAgJU5.exe String found in binary or memory: http://ocsp.comodoca.com0#
Source: dNeoJAgJU5.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: dNeoJAgJU5.exe String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
Source: dNeoJAgJU5.exe String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
Source: explorer.exe, 00000010.00000000.803168317.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: dNeoJAgJU5.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: dNeoJAgJU5.exe String found in binary or memory: https://sectigo.com/CPS0U
Source: dNeoJAgJU5.exe String found in binary or memory: https://secure.comodo.com/CPS0L

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: dNeoJAgJU5.exe, 00000001.00000002.798370224.00000000007CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419D60 NtCreateFile, 14_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419E10 NtReadFile, 14_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419E90 NtClose, 14_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419F40 NtAllocateVirtualMemory, 14_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419D5A NtCreateFile, 14_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419E8B NtClose, 14_2_00419E8B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00419F3A NtAllocateVirtualMemory, 14_2_00419F3A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F898F0 NtReadVirtualMemory,LdrInitializeThunk, 14_2_00F898F0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_00F89860
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89840 NtDelayExecution,LdrInitializeThunk, 14_2_00F89840
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F899A0 NtCreateSection,LdrInitializeThunk, 14_2_00F899A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_00F89910
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89A50 NtCreateFile,LdrInitializeThunk, 14_2_00F89A50
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89A20 NtResumeThread,LdrInitializeThunk, 14_2_00F89A20
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89A00 NtProtectVirtualMemory,LdrInitializeThunk, 14_2_00F89A00
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F895D0 NtClose,LdrInitializeThunk, 14_2_00F895D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89540 NtReadFile,LdrInitializeThunk, 14_2_00F89540
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F896E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_00F896E0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_00F89660
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F897A0 NtUnmapViewOfSection,LdrInitializeThunk, 14_2_00F897A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89780 NtMapViewOfSection,LdrInitializeThunk, 14_2_00F89780
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89710 NtQueryInformationToken,LdrInitializeThunk, 14_2_00F89710
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F898A0 NtWriteVirtualMemory, 14_2_00F898A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F8B040 NtSuspendThread, 14_2_00F8B040
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89820 NtEnumerateKey, 14_2_00F89820
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F899D0 NtCreateProcessEx, 14_2_00F899D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89950 NtQueueApcThread, 14_2_00F89950
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89A80 NtOpenDirectoryObject, 14_2_00F89A80
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89A10 NtQuerySection, 14_2_00F89A10
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F8A3B0 NtGetContextThread, 14_2_00F8A3B0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89B00 NtSetValueKey, 14_2_00F89B00
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F895F0 NtQueryInformationFile, 14_2_00F895F0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89560 NtWriteFile, 14_2_00F89560
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F8AD30 NtSetContextThread, 14_2_00F8AD30
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89520 NtWaitForSingleObject, 14_2_00F89520
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F896D0 NtCreateKey, 14_2_00F896D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89670 NtQueryInformationProcess, 14_2_00F89670
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89650 NtQueryValueKey, 14_2_00F89650
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89610 NtEnumerateValueKey, 14_2_00F89610
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89FE0 NtCreateMutant, 14_2_00F89FE0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F8A770 NtOpenThread, 14_2_00F8A770
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89770 NtSetInformationFile, 14_2_00F89770
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89760 NtOpenProcess, 14_2_00F89760
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F89730 NtQueryVirtualMemory, 14_2_00F89730
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F8A710 NtOpenProcessToken, 14_2_00F8A710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9540 NtReadFile,LdrInitializeThunk, 17_2_050A9540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A95D0 NtClose,LdrInitializeThunk, 17_2_050A95D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9710 NtQueryInformationToken,LdrInitializeThunk, 17_2_050A9710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9780 NtMapViewOfSection,LdrInitializeThunk, 17_2_050A9780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9FE0 NtCreateMutant,LdrInitializeThunk, 17_2_050A9FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9650 NtQueryValueKey,LdrInitializeThunk, 17_2_050A9650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_050A9660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A96D0 NtCreateKey,LdrInitializeThunk, 17_2_050A96D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_050A96E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_050A9910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A99A0 NtCreateSection,LdrInitializeThunk, 17_2_050A99A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9840 NtDelayExecution,LdrInitializeThunk, 17_2_050A9840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_050A9860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9A50 NtCreateFile,LdrInitializeThunk, 17_2_050A9A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9520 NtWaitForSingleObject, 17_2_050A9520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050AAD30 NtSetContextThread, 17_2_050AAD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9560 NtWriteFile, 17_2_050A9560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A95F0 NtQueryInformationFile, 17_2_050A95F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050AA710 NtOpenProcessToken, 17_2_050AA710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9730 NtQueryVirtualMemory, 17_2_050A9730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9760 NtOpenProcess, 17_2_050A9760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050AA770 NtOpenThread, 17_2_050AA770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9770 NtSetInformationFile, 17_2_050A9770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A97A0 NtUnmapViewOfSection, 17_2_050A97A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9610 NtEnumerateValueKey, 17_2_050A9610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9670 NtQueryInformationProcess, 17_2_050A9670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9950 NtQueueApcThread, 17_2_050A9950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A99D0 NtCreateProcessEx, 17_2_050A99D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9820 NtEnumerateKey, 17_2_050A9820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050AB040 NtSuspendThread, 17_2_050AB040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A98A0 NtWriteVirtualMemory, 17_2_050A98A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A98F0 NtReadVirtualMemory, 17_2_050A98F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9B00 NtSetValueKey, 17_2_050A9B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050AA3B0 NtGetContextThread, 17_2_050AA3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9A00 NtProtectVirtualMemory, 17_2_050A9A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9A10 NtQuerySection, 17_2_050A9A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9A20 NtResumeThread, 17_2_050A9A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A9A80 NtOpenDirectoryObject, 17_2_050A9A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9D60 NtCreateFile, 17_2_00EB9D60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9E90 NtClose, 17_2_00EB9E90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9E10 NtReadFile, 17_2_00EB9E10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9F40 NtAllocateVirtualMemory, 17_2_00EB9F40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9D5A NtCreateFile, 17_2_00EB9D5A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9E8B NtClose, 17_2_00EB9E8B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB9F3A NtAllocateVirtualMemory, 17_2_00EB9F3A
Detected potential crypto function
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_007018C0 1_2_007018C0
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_0070FA20 1_2_0070FA20
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_00701CF0 1_2_00701CF0
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_0070F398 1_2_0070F398
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_04BC0040 1_2_04BC0040
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_04BC6CC0 1_2_04BC6CC0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00401030 14_2_00401030
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041D8BA 14_2_0041D8BA
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041D988 14_2_0041D988
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041E2F2 14_2_0041E2F2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_004012FB 14_2_004012FB
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041DA9E 14_2_0041DA9E
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00402D88 14_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00402D90 14_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00409E40 14_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041DE31 14_2_0041DE31
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00409E3B 14_2_00409E3B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041D719 14_2_0041D719
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041CFA3 14_2_0041CFA3
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041CFA6 14_2_0041CFA6
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00402FB0 14_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041DFB0 14_2_0041DFB0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5B090 14_2_00F5B090
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A830 14_2_00F6A830
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001002 14_2_01001002
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101E824 14_2_0101E824
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010120A8 14_2_010120A8
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F64120 14_2_00F64120
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010128EC 14_2_010128EC
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4F900 14_2_00F4F900
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01012B28 14_2_01012B28
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100DBD2 14_2_0100DBD2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FFFA2B 14_2_00FFFA2B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010003DA 14_2_010003DA
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FF23E3 14_2_00FF23E3
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7ABD8 14_2_00F7ABD8
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7EBB0 14_2_00F7EBB0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010122AE 14_2_010122AE
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6AB40 14_2_00F6AB40
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01012D07 14_2_01012D07
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01011D55 14_2_01011D55
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010125DD 14_2_010125DD
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5841F 14_2_00F5841F
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5D5E0 14_2_00F5D5E0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100D466 14_2_0100D466
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72581 14_2_00F72581
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F40D20 14_2_00F40D20
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F66E30 14_2_00F66E30
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101DFCE 14_2_0101DFCE
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01011FF1 14_2_01011FF1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100D616 14_2_0100D616
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01012EF7 14_2_01012EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05132D07 17_2_05132D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05060D20 17_2_05060D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05131D55 17_2_05131D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05092581 17_2_05092581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051325DD 17_2_051325DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0507D5E0 17_2_0507D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0507841F 17_2_0507841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512D466 17_2_0512D466
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0513DFCE 17_2_0513DFCE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05131FF1 17_2_05131FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512D616 17_2_0512D616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05086E30 17_2_05086E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05132EF7 17_2_05132EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0506F900 17_2_0506F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05084120 17_2_05084120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050899BF 17_2_050899BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121002 17_2_05121002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0513E824 17_2_0513E824
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508A830 17_2_0508A830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0507B090 17_2_0507B090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050920A0 17_2_050920A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051320A8 17_2_051320A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051328EC 17_2_051328EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508A309 17_2_0508A309
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05132B28 17_2_05132B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508AB40 17_2_0508AB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0510CB4F 17_2_0510CB4F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509EBB0 17_2_0509EBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512DBD2 17_2_0512DBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051203DA 17_2_051203DA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509ABD8 17_2_0509ABD8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051123E3 17_2_051123E3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0511FA2B 17_2_0511FA2B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051322AE 17_2_051322AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124AEF 17_2_05124AEF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EBE2F2 17_2_00EBE2F2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EA2D88 17_2_00EA2D88
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EA2D90 17_2_00EA2D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EA9E40 17_2_00EA9E40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EA9E3B 17_2_00EA9E3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EBCFA6 17_2_00EBCFA6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EA2FB0 17_2_00EA2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0506B150 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: String function: 00F4B150 appears 133 times
PE / OLE file has an invalid certificate
Source: dNeoJAgJU5.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: dNeoJAgJU5.exe Binary or memory string: OriginalFilename vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.798768143.0000000000BC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.798370224.00000000007CA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWzjqbfipybrt.dll" vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.802828882.0000000004970000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.798858613.0000000000C30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 00000001.00000002.799715602.000000000346D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAwbznzeq.dll2 vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe Binary or memory string: OriginalFilename vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe Binary or memory string: OriginalFilename vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 0000000E.00000002.848550242.00000000011CF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs dNeoJAgJU5.exe
Source: dNeoJAgJU5.exe Binary or memory string: OriginalFilenameConsoleApp15.exeB vs dNeoJAgJU5.exe
Uses 32bit PE files
Source: dNeoJAgJU5.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: dNeoJAgJU5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dNeoJAgJU5.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/3@0/0
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dNeoJAgJU5.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe File created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Jump to behavior
Source: dNeoJAgJU5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dNeoJAgJU5.exe Virustotal: Detection: 50%
Source: dNeoJAgJU5.exe Metadefender: Detection: 25%
Source: dNeoJAgJU5.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe File read: C:\Users\user\Desktop\dNeoJAgJU5.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dNeoJAgJU5.exe 'C:\Users\user\Desktop\dNeoJAgJU5.exe'
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe' Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: dNeoJAgJU5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: dNeoJAgJU5.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: dNeoJAgJU5.exe, 0000000E.00000002.847661435.0000000000F20000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.910826461.0000000005040000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: dNeoJAgJU5.exe, msdt.exe
Source: Binary string: msdt.pdb source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: dNeoJAgJU5.exe, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dNeoJAgJU5.exe.1.dr, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.dNeoJAgJU5.exe.50000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.dNeoJAgJU5.exe.50000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.dNeoJAgJU5.exe.370000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.dNeoJAgJU5.exe.370000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.dNeoJAgJU5.exe.4e0000.2.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.dNeoJAgJU5.exe.4e0000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dNeoJAgJU5.exe.4e0000.1.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs .Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: dNeoJAgJU5.exe, type: SAMPLE
Source: Yara match File source: 00000001.00000002.796802403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.795971862.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.794448799.0000000000372000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.795210062.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.641852004.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.846927570.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910650632.0000000004BF6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.911108077.000000000556F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.793684008.0000000000372000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dNeoJAgJU5.exe PID: 7144, type: MEMORY
Source: Yara match File source: Process Memory Space: dNeoJAgJU5.exe PID: 6880, type: MEMORY
Source: Yara match File source: Process Memory Space: dNeoJAgJU5.exe PID: 4904, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe, type: DROPPED
Source: Yara match File source: 17.2.msdt.exe.556f834.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.dNeoJAgJU5.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dNeoJAgJU5.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.msdt.exe.556f834.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.4e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.dNeoJAgJU5.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.4e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dNeoJAgJU5.exe.50000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00417B68 push ebx; ret 14_2_00417B69
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041CEB5 push eax; ret 14_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041CF6C push eax; ret 14_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041CF02 push eax; ret 14_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0041CF0B push eax; ret 14_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_004167E2 push esi; retf 14_2_004167F5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0040C78D push ecx; iretd 14_2_0040C78E
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F9D0D1 push ecx; ret 14_2_00F9D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050BD0D1 push ecx; ret 17_2_050BD0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB7B68 push ebx; ret 17_2_00EB7B69
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EBCEB5 push eax; ret 17_2_00EBCF08
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EB67E2 push esi; retf 17_2_00EB67F5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EAC78D push ecx; iretd 17_2_00EAC78E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EBCF6C push eax; ret 17_2_00EBCF72
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EBCF0B push eax; ret 17_2_00EBCF72
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00EBCF02 push eax; ret 17_2_00EBCF08
Source: initial sample Static PE information: section name: .text entropy: 7.99020457416
Source: initial sample Static PE information: section name: .text entropy: 7.99020457416

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe File created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE6
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000EA98E4 second address: 0000000000EA98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000EA9B5E second address: 0000000000EA9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00409A90 rdtsc 14_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe TID: 4732 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000000.816929944.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000010.00000000.817062872.000000000A64D000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATALL
Source: explorer.exe, 00000010.00000000.813704987.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.816929944.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: explorer.exe, 00000010.00000000.836654921.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000010.00000000.836654921.0000000004710000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00409A90 rdtsc 14_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Code function: 1_2_00701230 LdrInitializeThunk, 1_2_00701230
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6B8E4 mov eax, dword ptr fs:[00000030h] 14_2_00F6B8E4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6B8E4 mov eax, dword ptr fs:[00000030h] 14_2_00F6B8E4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h] 14_2_00F440E1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h] 14_2_00F440E1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h] 14_2_00F440E1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F458EC mov eax, dword ptr fs:[00000030h] 14_2_00F458EC
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_00FDB8D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_00FDB8D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_00FDB8D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_00FDB8D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_00FDB8D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h] 14_2_00FDB8D0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7F0BF mov ecx, dword ptr fs:[00000030h] 14_2_00F7F0BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7F0BF mov eax, dword ptr fs:[00000030h] 14_2_00F7F0BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7F0BF mov eax, dword ptr fs:[00000030h] 14_2_00F7F0BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F890AF mov eax, dword ptr fs:[00000030h] 14_2_00F890AF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h] 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h] 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h] 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h] 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h] 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h] 14_2_00F720A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49080 mov eax, dword ptr fs:[00000030h] 14_2_00F49080
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC3884 mov eax, dword ptr fs:[00000030h] 14_2_00FC3884
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC3884 mov eax, dword ptr fs:[00000030h] 14_2_00FC3884
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h] 14_2_010049A4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h] 14_2_010049A4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h] 14_2_010049A4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h] 14_2_010049A4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F60050 mov eax, dword ptr fs:[00000030h] 14_2_00F60050
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F60050 mov eax, dword ptr fs:[00000030h] 14_2_00F60050
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h] 14_2_00F6A830
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h] 14_2_00F6A830
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h] 14_2_00F6A830
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h] 14_2_00F6A830
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h] 14_2_00F7002D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h] 14_2_00F7002D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h] 14_2_00F7002D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h] 14_2_00F7002D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h] 14_2_00F7002D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h] 14_2_00F5B02A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h] 14_2_00F5B02A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h] 14_2_00F5B02A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h] 14_2_00F5B02A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h] 14_2_00FC7016
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h] 14_2_00FC7016
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h] 14_2_00FC7016
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01014015 mov eax, dword ptr fs:[00000030h] 14_2_01014015
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01014015 mov eax, dword ptr fs:[00000030h] 14_2_01014015
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FD41E8 mov eax, dword ptr fs:[00000030h] 14_2_00FD41E8
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4B1E1 mov eax, dword ptr fs:[00000030h] 14_2_00F4B1E1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4B1E1 mov eax, dword ptr fs:[00000030h] 14_2_00F4B1E1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4B1E1 mov eax, dword ptr fs:[00000030h] 14_2_00F4B1E1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h] 14_2_00FC51BE
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h] 14_2_00FC51BE
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h] 14_2_00FC51BE
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h] 14_2_00FC51BE
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h] 14_2_00F699BF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F761A0 mov eax, dword ptr fs:[00000030h] 14_2_00F761A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F761A0 mov eax, dword ptr fs:[00000030h] 14_2_00F761A0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC69A6 mov eax, dword ptr fs:[00000030h] 14_2_00FC69A6
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72990 mov eax, dword ptr fs:[00000030h] 14_2_00F72990
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7A185 mov eax, dword ptr fs:[00000030h] 14_2_00F7A185
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002073 mov eax, dword ptr fs:[00000030h] 14_2_01002073
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6C182 mov eax, dword ptr fs:[00000030h] 14_2_00F6C182
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01011074 mov eax, dword ptr fs:[00000030h] 14_2_01011074
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4B171 mov eax, dword ptr fs:[00000030h] 14_2_00F4B171
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4B171 mov eax, dword ptr fs:[00000030h] 14_2_00F4B171
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4C962 mov eax, dword ptr fs:[00000030h] 14_2_00F4C962
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6B944 mov eax, dword ptr fs:[00000030h] 14_2_00F6B944
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6B944 mov eax, dword ptr fs:[00000030h] 14_2_00F6B944
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7513A mov eax, dword ptr fs:[00000030h] 14_2_00F7513A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7513A mov eax, dword ptr fs:[00000030h] 14_2_00F7513A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h] 14_2_00F64120
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h] 14_2_00F64120
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h] 14_2_00F64120
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h] 14_2_00F64120
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F64120 mov ecx, dword ptr fs:[00000030h] 14_2_00F64120
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49100 mov eax, dword ptr fs:[00000030h] 14_2_00F49100
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49100 mov eax, dword ptr fs:[00000030h] 14_2_00F49100
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49100 mov eax, dword ptr fs:[00000030h] 14_2_00F49100
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72AE4 mov eax, dword ptr fs:[00000030h] 14_2_00F72AE4
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100131B mov eax, dword ptr fs:[00000030h] 14_2_0100131B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72ACB mov eax, dword ptr fs:[00000030h] 14_2_00F72ACB
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5AAB0 mov eax, dword ptr fs:[00000030h] 14_2_00F5AAB0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5AAB0 mov eax, dword ptr fs:[00000030h] 14_2_00F5AAB0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7FAB0 mov eax, dword ptr fs:[00000030h] 14_2_00F7FAB0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h] 14_2_00F452A5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h] 14_2_00F452A5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h] 14_2_00F452A5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h] 14_2_00F452A5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h] 14_2_00F452A5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01018B58 mov eax, dword ptr fs:[00000030h] 14_2_01018B58
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7D294 mov eax, dword ptr fs:[00000030h] 14_2_00F7D294
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7D294 mov eax, dword ptr fs:[00000030h] 14_2_00F7D294
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F8927A mov eax, dword ptr fs:[00000030h] 14_2_00F8927A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100138A mov eax, dword ptr fs:[00000030h] 14_2_0100138A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FFB260 mov eax, dword ptr fs:[00000030h] 14_2_00FFB260
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FFB260 mov eax, dword ptr fs:[00000030h] 14_2_00FFB260
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01015BA5 mov eax, dword ptr fs:[00000030h] 14_2_01015BA5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FD4257 mov eax, dword ptr fs:[00000030h] 14_2_00FD4257
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h] 14_2_00F49240
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h] 14_2_00F49240
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h] 14_2_00F49240
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h] 14_2_00F49240
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F84A2C mov eax, dword ptr fs:[00000030h] 14_2_00F84A2C
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F84A2C mov eax, dword ptr fs:[00000030h] 14_2_00F84A2C
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h] 14_2_00F6A229
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4AA16 mov eax, dword ptr fs:[00000030h] 14_2_00F4AA16
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4AA16 mov eax, dword ptr fs:[00000030h] 14_2_00F4AA16
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F45210 mov eax, dword ptr fs:[00000030h] 14_2_00F45210
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F45210 mov ecx, dword ptr fs:[00000030h] 14_2_00F45210
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F45210 mov eax, dword ptr fs:[00000030h] 14_2_00F45210
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F45210 mov eax, dword ptr fs:[00000030h] 14_2_00F45210
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F63A1C mov eax, dword ptr fs:[00000030h] 14_2_00F63A1C
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F58A0A mov eax, dword ptr fs:[00000030h] 14_2_00F58A0A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h] 14_2_00F703E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h] 14_2_00F703E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h] 14_2_00F703E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h] 14_2_00F703E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h] 14_2_00F703E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h] 14_2_00F703E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100AA16 mov eax, dword ptr fs:[00000030h] 14_2_0100AA16
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100AA16 mov eax, dword ptr fs:[00000030h] 14_2_0100AA16
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FF23E3 mov ecx, dword ptr fs:[00000030h] 14_2_00FF23E3
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FF23E3 mov ecx, dword ptr fs:[00000030h] 14_2_00FF23E3
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FF23E3 mov eax, dword ptr fs:[00000030h] 14_2_00FF23E3
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6DBE9 mov eax, dword ptr fs:[00000030h] 14_2_00F6DBE9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC53CA mov eax, dword ptr fs:[00000030h] 14_2_00FC53CA
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC53CA mov eax, dword ptr fs:[00000030h] 14_2_00FC53CA
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100EA55 mov eax, dword ptr fs:[00000030h] 14_2_0100EA55
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F74BAD mov eax, dword ptr fs:[00000030h] 14_2_00F74BAD
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F74BAD mov eax, dword ptr fs:[00000030h] 14_2_00F74BAD
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F74BAD mov eax, dword ptr fs:[00000030h] 14_2_00F74BAD
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72397 mov eax, dword ptr fs:[00000030h] 14_2_00F72397
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01018A62 mov eax, dword ptr fs:[00000030h] 14_2_01018A62
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7B390 mov eax, dword ptr fs:[00000030h] 14_2_00F7B390
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F51B8F mov eax, dword ptr fs:[00000030h] 14_2_00F51B8F
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F51B8F mov eax, dword ptr fs:[00000030h] 14_2_00F51B8F
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FFD380 mov ecx, dword ptr fs:[00000030h] 14_2_00FFD380
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F73B7A mov eax, dword ptr fs:[00000030h] 14_2_00F73B7A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F73B7A mov eax, dword ptr fs:[00000030h] 14_2_00F73B7A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4DB60 mov ecx, dword ptr fs:[00000030h] 14_2_00F4DB60
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4F358 mov eax, dword ptr fs:[00000030h] 14_2_00F4F358
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4DB40 mov eax, dword ptr fs:[00000030h] 14_2_00F4DB40
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h] 14_2_01004AEF
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h] 14_2_00F6A309
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6CF0 mov eax, dword ptr fs:[00000030h] 14_2_00FC6CF0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6CF0 mov eax, dword ptr fs:[00000030h] 14_2_00FC6CF0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6CF0 mov eax, dword ptr fs:[00000030h] 14_2_00FC6CF0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01018D34 mov eax, dword ptr fs:[00000030h] 14_2_01018D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100E539 mov eax, dword ptr fs:[00000030h] 14_2_0100E539
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5849B mov eax, dword ptr fs:[00000030h] 14_2_00F5849B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01002D82 mov eax, dword ptr fs:[00000030h] 14_2_01002D82
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7AC7B mov eax, dword ptr fs:[00000030h] 14_2_00F7AC7B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6746D mov eax, dword ptr fs:[00000030h] 14_2_00F6746D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDC450 mov eax, dword ptr fs:[00000030h] 14_2_00FDC450
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDC450 mov eax, dword ptr fs:[00000030h] 14_2_00FDC450
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010105AC mov eax, dword ptr fs:[00000030h] 14_2_010105AC
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010105AC mov eax, dword ptr fs:[00000030h] 14_2_010105AC
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7A44B mov eax, dword ptr fs:[00000030h] 14_2_00F7A44B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7BC2C mov eax, dword ptr fs:[00000030h] 14_2_00F7BC2C
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0100FDE2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0100FDE2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0100FDE2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0100FDE2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6C0A mov eax, dword ptr fs:[00000030h] 14_2_00FC6C0A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6C0A mov eax, dword ptr fs:[00000030h] 14_2_00FC6C0A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6C0A mov eax, dword ptr fs:[00000030h] 14_2_00FC6C0A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6C0A mov eax, dword ptr fs:[00000030h] 14_2_00FC6C0A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001C06 mov eax, dword ptr fs:[00000030h] 14_2_01001C06
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101740D mov eax, dword ptr fs:[00000030h] 14_2_0101740D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101740D mov eax, dword ptr fs:[00000030h] 14_2_0101740D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101740D mov eax, dword ptr fs:[00000030h] 14_2_0101740D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FF8DF1 mov eax, dword ptr fs:[00000030h] 14_2_00FF8DF1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5D5E0 mov eax, dword ptr fs:[00000030h] 14_2_00F5D5E0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5D5E0 mov eax, dword ptr fs:[00000030h] 14_2_00F5D5E0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_00FC6DC9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_00FC6DC9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_00FC6DC9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6DC9 mov ecx, dword ptr fs:[00000030h] 14_2_00FC6DC9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_00FC6DC9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC6DC9 mov eax, dword ptr fs:[00000030h] 14_2_00FC6DC9
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F71DB5 mov eax, dword ptr fs:[00000030h] 14_2_00F71DB5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F71DB5 mov eax, dword ptr fs:[00000030h] 14_2_00F71DB5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F71DB5 mov eax, dword ptr fs:[00000030h] 14_2_00F71DB5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F735A1 mov eax, dword ptr fs:[00000030h] 14_2_00F735A1
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7FD9B mov eax, dword ptr fs:[00000030h] 14_2_00F7FD9B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7FD9B mov eax, dword ptr fs:[00000030h] 14_2_00F7FD9B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72581 mov eax, dword ptr fs:[00000030h] 14_2_00F72581
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72581 mov eax, dword ptr fs:[00000030h] 14_2_00F72581
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72581 mov eax, dword ptr fs:[00000030h] 14_2_00F72581
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F72581 mov eax, dword ptr fs:[00000030h] 14_2_00F72581
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F42D8A mov eax, dword ptr fs:[00000030h] 14_2_00F42D8A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F42D8A mov eax, dword ptr fs:[00000030h] 14_2_00F42D8A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F42D8A mov eax, dword ptr fs:[00000030h] 14_2_00F42D8A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F42D8A mov eax, dword ptr fs:[00000030h] 14_2_00F42D8A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F42D8A mov eax, dword ptr fs:[00000030h] 14_2_00F42D8A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6C577 mov eax, dword ptr fs:[00000030h] 14_2_00F6C577
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6C577 mov eax, dword ptr fs:[00000030h] 14_2_00F6C577
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01004496 mov eax, dword ptr fs:[00000030h] 14_2_01004496
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F67D50 mov eax, dword ptr fs:[00000030h] 14_2_00F67D50
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F83D43 mov eax, dword ptr fs:[00000030h] 14_2_00F83D43
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC3540 mov eax, dword ptr fs:[00000030h] 14_2_00FC3540
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FF3D40 mov eax, dword ptr fs:[00000030h] 14_2_00FF3D40
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F53D34 mov eax, dword ptr fs:[00000030h] 14_2_00F53D34
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4AD30 mov eax, dword ptr fs:[00000030h] 14_2_00F4AD30
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FCA537 mov eax, dword ptr fs:[00000030h] 14_2_00FCA537
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F74D3B mov eax, dword ptr fs:[00000030h] 14_2_00F74D3B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F74D3B mov eax, dword ptr fs:[00000030h] 14_2_00F74D3B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F74D3B mov eax, dword ptr fs:[00000030h] 14_2_00F74D3B
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01018CD6 mov eax, dword ptr fs:[00000030h] 14_2_01018CD6
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_010014FB mov eax, dword ptr fs:[00000030h] 14_2_010014FB
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101070D mov eax, dword ptr fs:[00000030h] 14_2_0101070D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0101070D mov eax, dword ptr fs:[00000030h] 14_2_0101070D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F716E0 mov ecx, dword ptr fs:[00000030h] 14_2_00F716E0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F576E2 mov eax, dword ptr fs:[00000030h] 14_2_00F576E2
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F736CC mov eax, dword ptr fs:[00000030h] 14_2_00F736CC
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FFFEC0 mov eax, dword ptr fs:[00000030h] 14_2_00FFFEC0
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F88EC7 mov eax, dword ptr fs:[00000030h] 14_2_00F88EC7
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC46A7 mov eax, dword ptr fs:[00000030h] 14_2_00FC46A7
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01018F6A mov eax, dword ptr fs:[00000030h] 14_2_01018F6A
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDFE87 mov eax, dword ptr fs:[00000030h] 14_2_00FDFE87
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F6AE73
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F6AE73
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F6AE73
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F6AE73
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F6AE73
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5766D mov eax, dword ptr fs:[00000030h] 14_2_00F5766D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F57E41 mov eax, dword ptr fs:[00000030h] 14_2_00F57E41
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F57E41 mov eax, dword ptr fs:[00000030h] 14_2_00F57E41
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F57E41 mov eax, dword ptr fs:[00000030h] 14_2_00F57E41
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F57E41 mov eax, dword ptr fs:[00000030h] 14_2_00F57E41
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F57E41 mov eax, dword ptr fs:[00000030h] 14_2_00F57E41
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F57E41 mov eax, dword ptr fs:[00000030h] 14_2_00F57E41
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FFFE3F mov eax, dword ptr fs:[00000030h] 14_2_00FFFE3F
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4E620 mov eax, dword ptr fs:[00000030h] 14_2_00F4E620
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7A61C mov eax, dword ptr fs:[00000030h] 14_2_00F7A61C
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7A61C mov eax, dword ptr fs:[00000030h] 14_2_00F7A61C
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4C600 mov eax, dword ptr fs:[00000030h] 14_2_00F4C600
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4C600 mov eax, dword ptr fs:[00000030h] 14_2_00F4C600
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F4C600 mov eax, dword ptr fs:[00000030h] 14_2_00F4C600
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F78E00 mov eax, dword ptr fs:[00000030h] 14_2_00F78E00
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01001608 mov eax, dword ptr fs:[00000030h] 14_2_01001608
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F837F5 mov eax, dword ptr fs:[00000030h] 14_2_00F837F5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100AE44 mov eax, dword ptr fs:[00000030h] 14_2_0100AE44
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_0100AE44 mov eax, dword ptr fs:[00000030h] 14_2_0100AE44
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F58794 mov eax, dword ptr fs:[00000030h] 14_2_00F58794
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC7794 mov eax, dword ptr fs:[00000030h] 14_2_00FC7794
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC7794 mov eax, dword ptr fs:[00000030h] 14_2_00FC7794
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FC7794 mov eax, dword ptr fs:[00000030h] 14_2_00FC7794
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5FF60 mov eax, dword ptr fs:[00000030h] 14_2_00F5FF60
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01010EA5 mov eax, dword ptr fs:[00000030h] 14_2_01010EA5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01010EA5 mov eax, dword ptr fs:[00000030h] 14_2_01010EA5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01010EA5 mov eax, dword ptr fs:[00000030h] 14_2_01010EA5
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F5EF40 mov eax, dword ptr fs:[00000030h] 14_2_00F5EF40
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7E730 mov eax, dword ptr fs:[00000030h] 14_2_00F7E730
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6B73D mov eax, dword ptr fs:[00000030h] 14_2_00F6B73D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6B73D mov eax, dword ptr fs:[00000030h] 14_2_00F6B73D
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_01018ED6 mov eax, dword ptr fs:[00000030h] 14_2_01018ED6
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F44F2E mov eax, dword ptr fs:[00000030h] 14_2_00F44F2E
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F44F2E mov eax, dword ptr fs:[00000030h] 14_2_00F44F2E
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F6F716 mov eax, dword ptr fs:[00000030h] 14_2_00F6F716
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDFF10 mov eax, dword ptr fs:[00000030h] 14_2_00FDFF10
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00FDFF10 mov eax, dword ptr fs:[00000030h] 14_2_00FDFF10
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7A70E mov eax, dword ptr fs:[00000030h] 14_2_00F7A70E
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Code function: 14_2_00F7A70E mov eax, dword ptr fs:[00000030h] 14_2_00F7A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05138D34 mov eax, dword ptr fs:[00000030h] 17_2_05138D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512E539 mov eax, dword ptr fs:[00000030h] 17_2_0512E539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05094D3B mov eax, dword ptr fs:[00000030h] 17_2_05094D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05094D3B mov eax, dword ptr fs:[00000030h] 17_2_05094D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05094D3B mov eax, dword ptr fs:[00000030h] 17_2_05094D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05073D34 mov eax, dword ptr fs:[00000030h] 17_2_05073D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0506AD30 mov eax, dword ptr fs:[00000030h] 17_2_0506AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050EA537 mov eax, dword ptr fs:[00000030h] 17_2_050EA537
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050A3D43 mov eax, dword ptr fs:[00000030h] 17_2_050A3D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E3540 mov eax, dword ptr fs:[00000030h] 17_2_050E3540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05113D40 mov eax, dword ptr fs:[00000030h] 17_2_05113D40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05087D50 mov eax, dword ptr fs:[00000030h] 17_2_05087D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508C577 mov eax, dword ptr fs:[00000030h] 17_2_0508C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508C577 mov eax, dword ptr fs:[00000030h] 17_2_0508C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05092581 mov eax, dword ptr fs:[00000030h] 17_2_05092581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05092581 mov eax, dword ptr fs:[00000030h] 17_2_05092581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05092581 mov eax, dword ptr fs:[00000030h] 17_2_05092581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05092581 mov eax, dword ptr fs:[00000030h] 17_2_05092581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05062D8A mov eax, dword ptr fs:[00000030h] 17_2_05062D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05062D8A mov eax, dword ptr fs:[00000030h] 17_2_05062D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05062D8A mov eax, dword ptr fs:[00000030h] 17_2_05062D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05062D8A mov eax, dword ptr fs:[00000030h] 17_2_05062D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05062D8A mov eax, dword ptr fs:[00000030h] 17_2_05062D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05122D82 mov eax, dword ptr fs:[00000030h] 17_2_05122D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509FD9B mov eax, dword ptr fs:[00000030h] 17_2_0509FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509FD9B mov eax, dword ptr fs:[00000030h] 17_2_0509FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050935A1 mov eax, dword ptr fs:[00000030h] 17_2_050935A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05091DB5 mov eax, dword ptr fs:[00000030h] 17_2_05091DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05091DB5 mov eax, dword ptr fs:[00000030h] 17_2_05091DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05091DB5 mov eax, dword ptr fs:[00000030h] 17_2_05091DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051305AC mov eax, dword ptr fs:[00000030h] 17_2_051305AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051305AC mov eax, dword ptr fs:[00000030h] 17_2_051305AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6DC9 mov eax, dword ptr fs:[00000030h] 17_2_050E6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6DC9 mov eax, dword ptr fs:[00000030h] 17_2_050E6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6DC9 mov eax, dword ptr fs:[00000030h] 17_2_050E6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6DC9 mov ecx, dword ptr fs:[00000030h] 17_2_050E6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6DC9 mov eax, dword ptr fs:[00000030h] 17_2_050E6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6DC9 mov eax, dword ptr fs:[00000030h] 17_2_050E6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05118DF1 mov eax, dword ptr fs:[00000030h] 17_2_05118DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0507D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0507D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0507D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0507D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0512FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0512FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0512FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0512FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0512FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6C0A mov eax, dword ptr fs:[00000030h] 17_2_050E6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6C0A mov eax, dword ptr fs:[00000030h] 17_2_050E6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6C0A mov eax, dword ptr fs:[00000030h] 17_2_050E6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050E6C0A mov eax, dword ptr fs:[00000030h] 17_2_050E6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05121C06 mov eax, dword ptr fs:[00000030h] 17_2_05121C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0513740D mov eax, dword ptr fs:[00000030h] 17_2_0513740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0513740D mov eax, dword ptr fs:[00000030h] 17_2_0513740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0513740D mov eax, dword ptr fs:[00000030h] 17_2_0513740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509BC2C mov eax, dword ptr fs:[00000030h] 17_2_0509BC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509A44B mov eax, dword ptr fs:[00000030h] 17_2_0509A44B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050FC450 mov eax, dword ptr fs:[00000030h] 17_2_050FC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_050FC450 mov eax, dword ptr fs:[00000030h] 17_2_050FC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508746D mov eax, dword ptr fs:[00000030h] 17_2_0508746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0509AC7B mov eax, dword ptr fs:[00000030h] 17_2_0509AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0508B477 mov eax, dword ptr fs:[00000030h] 17_2_0508B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05124496 mov eax, dword ptr fs:[00000030h] 17_2_05124496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_0507849B mov eax, dword ptr fs:[00000030h] 17_2_0507849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_05138CD6 mov eax, dword ptr fs:[00000030h] 17_2_05138CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_051214FB mov eax, dword ptr fs:[00000030h] 17_2_051214FB
Enables debug privileges
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 11A0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Process created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe' Jump to behavior
Source: explorer.exe, 00000010.00000000.825453566.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000010.00000000.827310506.0000000001080000.00000002.00000001.sdmp, msdt.exe, 00000011.00000002.910607402.00000000037E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000000.813672851.0000000005E50000.00000004.00000001.sdmp, msdt.exe, 00000011.00000002.910607402.00000000037E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.827310506.0000000001080000.00000002.00000001.sdmp, msdt.exe, 00000011.00000002.910607402.00000000037E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.827310506.0000000001080000.00000002.00000001.sdmp, msdt.exe, 00000011.00000002.910607402.00000000037E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Queries volume information: C:\Users\user\Desktop\dNeoJAgJU5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\dNeoJAgJU5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433079 Sample: dNeoJAgJU5 Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 10 dNeoJAgJU5.exe 5 2->10         started        process3 file4 27 C:\Users\user\AppData\...\dNeoJAgJU5.exe, PE32 10->27 dropped 29 C:\Users\...\dNeoJAgJU5.exe:Zone.Identifier, ASCII 10->29 dropped 31 C:\Users\user\AppData\...\dNeoJAgJU5.exe.log, ASCII 10->31 dropped 13 dNeoJAgJU5.exe 10->13         started        16 dNeoJAgJU5.exe 10->16         started        process5 signatures6 47 Modifies the context of a thread in another process (thread injection) 13->47 49 Maps a DLL or memory area into another process 13->49 51 Sample uses process hollowing technique 13->51 53 Queues an APC in another process (thread injection) 13->53 18 explorer.exe 13->18 injected 55 Multi AV Scanner detection for dropped file 16->55 57 Tries to detect virtualization through RDTSC time measurements 16->57 process7 process8 20 msdt.exe 18->20         started        signatures9 41 Modifies the context of a thread in another process (thread injection) 20->41 43 Maps a DLL or memory area into another process 20->43 45 Tries to detect virtualization through RDTSC time measurements 20->45 23 cmd.exe 1 20->23         started        process10 process11 25 conhost.exe 23->25         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.bucksnortneola.com/gw2/ true
  • Avira URL Cloud: safe
 low