Loading ...

Play interactive tourEdit tour

Analysis Report dNeoJAgJU5

Overview

General Information

Sample Name:dNeoJAgJU5 (renamed file extension from none to exe)
Analysis ID:433079
MD5:d2a8ef4a18e3c6dc377daf765b37a9ca
SHA1:7c6bcb0d6e1528af56b888657a26c186c818493b
SHA256:931959c2c56185581ab2639948e3e207c5cb3c1e1c0225567c31f03a5b39e65d
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dNeoJAgJU5.exe (PID: 7144 cmdline: 'C:\Users\user\Desktop\dNeoJAgJU5.exe' MD5: D2A8EF4A18E3C6DC377DAF765B37A9CA)
    • dNeoJAgJU5.exe (PID: 4904 cmdline: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe MD5: D2A8EF4A18E3C6DC377DAF765B37A9CA)
    • dNeoJAgJU5.exe (PID: 6880 cmdline: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe MD5: D2A8EF4A18E3C6DC377DAF765B37A9CA)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5724 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 660 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
dNeoJAgJU5.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9e88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xa102:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15711:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xab1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1498c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb813:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b8c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c8ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x189a9:$sqlite3step: 68 34 1C 7B E1
        • 0x18abc:$sqlite3step: 68 34 1C 7B E1
        • 0x189d8:$sqlite3text: 68 38 2A 90 C5
        • 0x18afd:$sqlite3text: 68 38 2A 90 C5
        • 0x189eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18b13:$sqlite3blob: 68 53 D8 7F 8C
        00000001.00000002.796802403.0000000000052000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.msdt.exe.556f834.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              13.0.dNeoJAgJU5.exe.370000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                13.2.dNeoJAgJU5.exe.370000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  17.2.msdt.exe.556f834.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    14.0.dNeoJAgJU5.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5724

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeMetadefender: Detection: 25%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeReversingLabs: Detection: 58%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: dNeoJAgJU5.exeVirustotal: Detection: 50%Perma Link
                      Source: dNeoJAgJU5.exeMetadefender: Detection: 25%Perma Link
                      Source: dNeoJAgJU5.exeReversingLabs: Detection: 58%
                      Yara detected FormBookShow sources
                      Source: Yara matchFile source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                      Source: dNeoJAgJU5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: dNeoJAgJU5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
                      Source: Binary string: msdt.pdbGCTL source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdbUGP source: dNeoJAgJU5.exe, 0000000E.00000002.847661435.0000000000F20000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.910826461.0000000005040000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: dNeoJAgJU5.exe, msdt.exe
                      Source: Binary string: msdt.pdb source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_0070EB58
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 4x nop then pop esi14_2_004172E4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 4x nop then pop edi14_2_00417D55
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi17_2_00EB72E4
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi17_2_00EB7D55

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: www.bucksnortneola.com/gw2/
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://ocsp.comodoca.com0#
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
                      Source: explorer.exe, 00000010.00000000.803168317.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: dNeoJAgJU5.exeString found in binary or memory: https://sectigo.com/CPS0D
                      Source: dNeoJAgJU5.exeString found in binary or memory: https://sectigo.com/CPS0U
                      Source: dNeoJAgJU5.exeString found in binary or memory: https://secure.comodo.com/CPS0L
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798370224.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected FormBookShow sources
                      Source: Yara matchFile source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess Stats: CPU usage > 98%
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419D60 NtCreateFile,14_2_00419D60
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419E10 NtReadFile,14_2_00419E10
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419E90 NtClose,14_2_00419E90
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419F40 NtAllocateVirtualMemory,14_2_00419F40
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419D5A NtCreateFile,14_2_00419D5A
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419E8B NtClose,14_2_00419E8B
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419F3A NtAllocateVirtualMemory,14_2_00419F3A
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F898F0 NtReadVirtualMemory,LdrInitializeThunk,14_2_00F898F0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89860 NtQuerySystemInformation,LdrInitializeThunk,14_2_00F89860
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89840 NtDelayExecution,LdrInitializeThunk,14_2_00F89840
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F899A0 NtCreateSection,LdrInitializeThunk,14_2_00F899A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_00F89910
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A50 NtCreateFile,LdrInitializeThunk,14_2_00F89A50
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A20 NtResumeThread,LdrInitializeThunk,14_2_00F89A20
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A00 NtProtectVirtualMemory,LdrInitializeThunk,14_2_00F89A00
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F895D0 NtClose,LdrInitializeThunk,14_2_00F895D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89540 NtReadFile,LdrInitializeThunk,14_2_00F89540
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F896E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_00F896E0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_00F89660
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F897A0 NtUnmapViewOfSection,LdrInitializeThunk,14_2_00F897A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89780 NtMapViewOfSection,LdrInitializeThunk,14_2_00F89780
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89710 NtQueryInformationToken,LdrInitializeThunk,14_2_00F89710
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F898A0 NtWriteVirtualMemory,14_2_00F898A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8B040 NtSuspendThread,14_2_00F8B040
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89820 NtEnumerateKey,14_2_00F89820
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F899D0 NtCreateProcessEx,14_2_00F899D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89950 NtQueueApcThread,14_2_00F89950
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A80 NtOpenDirectoryObject,14_2_00F89A80
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A10 NtQuerySection,14_2_00F89A10
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8A3B0 NtGetContextThread,14_2_00F8A3B0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89B00 NtSetValueKey,14_2_00F89B00
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F895F0 NtQueryInformationFile,14_2_00F895F0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89560 NtWriteFile,14_2_00F89560
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8AD30 NtSetContextThread,14_2_00F8AD30
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89520 NtWaitForSingleObject,14_2_00F89520
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F896D0 NtCreateKey,14_2_00F896D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89670 NtQueryInformationProcess,14_2_00F89670
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89650 NtQueryValueKey,14_2_00F89650
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89610 NtEnumerateValueKey,14_2_00F89610
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89FE0 NtCreateMutant,14_2_00F89FE0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8A770 NtOpenThread,14_2_00F8A770
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89770 NtSetInformationFile,14_2_00F89770
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89760 NtOpenProcess,14_2_00F89760
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89730 NtQueryVirtualMemory,14_2_00F89730
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8A710 NtOpenProcessToken,14_2_00F8A710
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9540 NtReadFile,LdrInitializeThunk,17_2_050A9540
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A95D0 NtClose,LdrInitializeThunk,17_2_050A95D0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9710 NtQueryInformationToken,LdrInitializeThunk,17_2_050A9710
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9780 NtMapViewOfSection,LdrInitializeThunk,17_2_050A9780
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9FE0 NtCreateMutant,LdrInitializeThunk,17_2_050A9FE0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9650 NtQueryValueKey,LdrInitializeThunk,17_2_050A9650
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_050A9660
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A96D0 NtCreateKey,LdrInitializeThunk,17_2_050A96D0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_050A96E0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_050A9910
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A99A0 NtCreateSection,LdrInitializeThunk,17_2_050A99A0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9840 NtDelayExecution,LdrInitializeThunk,17_2_050A9840
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_050A9860
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A50 NtCreateFile,LdrInitializeThunk,17_2_050A9A50
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9520 NtWaitForSingleObject,17_2_050A9520
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AAD30 NtSetContextThread,17_2_050AAD30
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9560 NtWriteFile,17_2_050A9560
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A95F0 NtQueryInformationFile,17_2_050A95F0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AA710 NtOpenProcessToken,17_2_050AA710
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9730 NtQueryVirtualMemory,17_2_050A9730
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9760 NtOpenProcess,17_2_050A9760
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AA770 NtOpenThread,17_2_050AA770
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9770 NtSetInformationFile,17_2_050A9770
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A97A0 NtUnmapViewOfSection,17_2_050A97A0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9610 NtEnumerateValueKey,17_2_050A9610
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9670 NtQueryInformationProcess,17_2_050A9670
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9950 NtQueueApcThread,17_2_050A9950
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A99D0 NtCreateProcessEx,17_2_050A99D0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9820 NtEnumerateKey,17_2_050A9820
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AB040 NtSuspendThread,17_2_050AB040
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A98A0 NtWriteVirtualMemory,17_2_050A98A0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A98F0 NtReadVirtualMemory,17_2_050A98F0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9B00 NtSetValueKey,17_2_050A9B00
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AA3B0 NtGetContextThread,17_2_050AA3B0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A00 NtProtectVirtualMemory,17_2_050A9A00
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A10 NtQuerySection,17_2_050A9A10
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A20 NtResumeThread,17_2_050A9A20
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A80 NtOpenDirectoryObject,17_2_050A9A80
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9D60 NtCreateFile,17_2_00EB9D60
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9E90 NtClose,17_2_00EB9E90
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9E10 NtReadFile,17_2_00EB9E10
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9F40 NtAllocateVirtualMemory,17_2_00EB9F40
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9D5A NtCreateFile,17_2_00EB9D5A
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9E8B NtClose,17_2_00EB9E8B
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9F3A NtAllocateVirtualMemory,17_2_00EB9F3A
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_007018C01_2_007018C0
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_0070FA201_2_0070FA20
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_00701CF01_2_00701CF0
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_0070F3981_2_0070F398
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_04BC00401_2_04BC0040
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_04BC6CC01_2_04BC6CC0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0040103014_2_00401030
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041D8BA14_2_0041D8BA
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041D98814_2_0041D988
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041E2F214_2_0041E2F2
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_004012FB14_2_004012FB
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041DA9E14_2_0041DA9E
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00402D8814_2_00402D88
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00402D9014_2_00402D90
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409E4014_2_00409E40
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041DE3114_2_0041DE31
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409E3B14_2_00409E3B
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041D71914_2_0041D719
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CFA314_2_0041CFA3
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CFA614_2_0041CFA6
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00402FB014_2_00402FB0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041DFB014_2_0041DFB0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A014_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B09014_2_00F5B090
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A83014_2_00F6A830
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100100214_2_01001002
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0101E82414_2_0101E824
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF14_2_00F699BF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010120A814_2_010120A8
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6412014_2_00F64120
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010128EC14_2_010128EC
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4F90014_2_00F4F900
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01012B2814_2_01012B28
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100DBD214_2_0100DBD2
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FFFA2B14_2_00FFFA2B
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010003DA14_2_010003DA
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FF23E314_2_00FF23E3
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7ABD814_2_00F7ABD8
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7EBB014_2_00F7EBB0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010122AE14_2_010122AE
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6AB4014_2_00F6AB40
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF14_2_01004AEF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A30914_2_00F6A309
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01012D0714_2_01012D07
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01011D5514_2_01011D55
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01002D8214_2_01002D82
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010125DD14_2_010125DD
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5841F14_2_00F5841F
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5D5E014_2_00F5D5E0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100D46614_2_0100D466
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7258114_2_00F72581
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100449614_2_01004496
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F40D2014_2_00F40D20
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F66E3014_2_00F66E30
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0101DFCE14_2_0101DFCE
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01011FF114_2_01011FF1
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100D61614_2_0100D616
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01012EF714_2_01012EF7
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05132D0717_2_05132D07
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05060D2017_2_05060D20
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05131D5517_2_05131D55
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0509258117_2_05092581
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05122D8217_2_05122D82
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051325DD17_2_051325DD
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0507D5E017_2_0507D5E0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0507841F17_2_0507841F
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512D46617_2_0512D466
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508B47717_2_0508B477
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512449617_2_05124496
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0513DFCE17_2_0513DFCE
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05131FF117_2_05131FF1
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512D61617_2_0512D616
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05086E3017_2_05086E30
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05132EF717_2_05132EF7
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0506F90017_2_0506F900
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508412017_2_05084120
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050899BF17_2_050899BF
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512100217_2_05121002
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0513E82417_2_0513E824
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508A83017_2_0508A830
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0507B09017_2_0507B090
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050920A017_2_050920A0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051320A817_2_051320A8
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051328EC17_2_051328EC
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508A30917_2_0508A309
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05132B2817_2_05132B28
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508AB4017_2_0508AB40
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0510CB4F17_2_0510CB4F
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0509EBB017_2_0509EBB0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512DBD217_2_0512DBD2
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051203DA17_2_051203DA
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0509ABD817_2_0509ABD8
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051123E317_2_051123E3
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0511FA2B17_2_0511FA2B
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051322AE17_2_051322AE
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05124AEF17_2_05124AEF
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBE2F217_2_00EBE2F2
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA2D8817_2_00EA2D88
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA2D9017_2_00EA2D90
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA9E4017_2_00EA9E40
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA9E3B17_2_00EA9E3B
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCFA617_2_00EBCFA6
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA2FB017_2_00EA2FB0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0506B150 appears 136 times
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: String function: 00F4B150 appears 133 times
                      Source: dNeoJAgJU5.exeStatic PE information: invalid certificate
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilename vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798768143.0000000000BC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798370224.00000000007CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWzjqbfipybrt.dll" vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802828882.0000000004970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798858613.0000000000C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.799715602.000000000346D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAwbznzeq.dll2 vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilename vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilename vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 0000000E.00000002.848550242.00000000011CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilenameConsoleApp15.exeB vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: dNeoJAgJU5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: dNeoJAgJU5.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/3@0/0
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dNeoJAgJU5.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJump to behavior
                      Source: dNeoJAgJU5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: dNeoJAgJU5.exeVirustotal: Detection: 50%
                      Source: dNeoJAgJU5.exeMetadefender: Detection: 25%
                      Source: dNeoJAgJU5.exeReversingLabs: Detection: 58%
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile read: C:\Users\user\Desktop\dNeoJAgJU5.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\dNeoJAgJU5.exe 'C:\Users\user\Desktop\dNeoJAgJU5.exe'
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
                      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJump to behavior
                      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: dNeoJAgJU5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: dNeoJAgJU5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
                      Source: Binary string: msdt.pdbGCTL source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdbUGP source: dNeoJAgJU5.exe, 0000000E.00000002.847661435.0000000000F20000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.910826461.0000000005040000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: dNeoJAgJU5.exe, msdt.exe
                      Source: Binary string: msdt.pdb source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: dNeoJAgJU5.exe, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: dNeoJAgJU5.exe.1.dr, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.dNeoJAgJU5.exe.50000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.dNeoJAgJU5.exe.50000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.2.dNeoJAgJU5.exe.370000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.dNeoJAgJU5.exe.370000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.0.dNeoJAgJU5.exe.4e0000.2.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.0.dNeoJAgJU5.exe.4e0000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.2.dNeoJAgJU5.exe.4e0000.1.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Yara detected Costura Assembly LoaderShow sources
                      Source: Yara matchFile source: dNeoJAgJU5.exe, type: SAMPLE
                      Source: Yara matchFile source: 00000001.00000002.796802403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795971862.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.794448799.0000000000372000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795210062.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.641852004.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.846927570.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910650632.0000000004BF6000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.911108077.000000000556F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.793684008.0000000000372000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dNeoJAgJU5.exe PID: 7144, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dNeoJAgJU5.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dNeoJAgJU5.exe PID: 4904, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe, type: DROPPED
                      Source: Yara matchFile source: 17.2.msdt.exe.556f834.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.dNeoJAgJU5.exe.370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.dNeoJAgJU5.exe.370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.msdt.exe.556f834.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.4e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.4e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.dNeoJAgJU5.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.4e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.dNeoJAgJU5.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00417B68 push ebx; ret 14_2_00417B69
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CEB5 push eax; ret 14_2_0041CF08
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CF6C push eax; ret 14_2_0041CF72
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CF02 push eax; ret 14_2_0041CF08
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CF0B push eax; ret 14_2_0041CF72
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_004167E2 push esi; retf 14_2_004167F5
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0040C78D push ecx; iretd 14_2_0040C78E
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F9D0D1 push ecx; ret 14_2_00F9D0E4
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050BD0D1 push ecx; ret 17_2_050BD0E4
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB7B68 push ebx; ret 17_2_00EB7B69
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCEB5 push eax; ret 17_2_00EBCF08
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB67E2 push esi; retf 17_2_00EB67F5
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EAC78D push ecx; iretd 17_2_00EAC78E
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCF6C push eax; ret 17_2_00EBCF72
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCF0B push eax; ret 17_2_00EBCF72
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCF02 push eax; ret 17_2_00EBCF08
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.99020457416
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.99020457416
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE6
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000EA98E4 second address: 0000000000EA98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000EA9B5E second address: 0000000000EA9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409A90 rdtsc 14_2_00409A90
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exe TID: 4732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: explorer.exe, 00000010.00000000.816929944.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: explorer.exe, 00000010.00000000.817062872.000000000A64D000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATALL
                      Source: explorer.exe, 00000010.00000000.813704987.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000010.00000000.816929944.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: explorer.exe, 00000010.00000000.836654921.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                      Source: explorer.exe, 00000010.00000000.836654921.0000000004710000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409A90 rdtsc 14_2_00409A90
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_00701230 LdrInitializeThunk,1_2_00701230
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6B8E4 mov eax, dword ptr fs:[00000030h]14_2_00F6B8E4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6B8E4 mov eax, dword ptr fs:[00000030h]14_2_00F6B8E4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h]14_2_00F440E1
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h]14_2_00F440E1
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h]14_2_00F440E1
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F458EC mov eax, dword ptr fs:[00000030h]14_2_00F458EC
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]14_2_00FDB8D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov ecx, dword ptr fs:[00000030h]14_2_00FDB8D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]14_2_00FDB8D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]14_2_00FDB8D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]14_2_00FDB8D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]14_2_00FDB8D0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7F0BF mov ecx, dword ptr fs:[00000030h]14_2_00F7F0BF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7F0BF mov eax, dword ptr fs:[00000030h]14_2_00F7F0BF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7F0BF mov eax, dword ptr fs:[00000030h]14_2_00F7F0BF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F890AF mov eax, dword ptr fs:[00000030h]14_2_00F890AF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49080 mov eax, dword ptr fs:[00000030h]14_2_00F49080
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC3884 mov eax, dword ptr fs:[00000030h]14_2_00FC3884
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC3884 mov eax, dword ptr fs:[00000030h]14_2_00FC3884
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]14_2_010049A4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]14_2_010049A4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]14_2_010049A4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]14_2_010049A4
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F60050 mov eax, dword ptr fs:[00000030h]14_2_00F60050
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F60050 mov eax, dword ptr fs:[00000030h]14_2_00F60050
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]14_2_00F6A830
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]14_2_00F6A830
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]14_2_00F6A830
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]14_2_00F6A830
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]14_2_00F7002D
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]14_2_00F7002D
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]14_2_00F7002D
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]14_2_00F7002D
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]14_2_00F7002D
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]14_2_00F5B02A
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]14_2_00F5B02A
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]14_2_00F5B02A
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]14_2_00F5B02A
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h]14_2_00FC7016
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h]14_2_00FC7016
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h]14_2_00FC7016
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01014015 mov eax, dword ptr fs:[00000030h]14_2_01014015
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01014015 mov eax, dword ptr fs:[00000030h]14_2_01014015
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FD41E8 mov eax, dword ptr fs:[00000030h]14_2_00FD41E8
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe<