Loading ...

Play interactive tourEdit tour

Analysis Report dNeoJAgJU5

Overview

General Information

Sample Name:dNeoJAgJU5 (renamed file extension from none to exe)
Analysis ID:433079
MD5:d2a8ef4a18e3c6dc377daf765b37a9ca
SHA1:7c6bcb0d6e1528af56b888657a26c186c818493b
SHA256:931959c2c56185581ab2639948e3e207c5cb3c1e1c0225567c31f03a5b39e65d
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dNeoJAgJU5.exe (PID: 7144 cmdline: 'C:\Users\user\Desktop\dNeoJAgJU5.exe' MD5: D2A8EF4A18E3C6DC377DAF765B37A9CA)
    • dNeoJAgJU5.exe (PID: 4904 cmdline: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe MD5: D2A8EF4A18E3C6DC377DAF765B37A9CA)
    • dNeoJAgJU5.exe (PID: 6880 cmdline: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe MD5: D2A8EF4A18E3C6DC377DAF765B37A9CA)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5724 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 660 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
dNeoJAgJU5.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9e88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xa102:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15711:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xab1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1498c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb813:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b8c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c8ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x189a9:$sqlite3step: 68 34 1C 7B E1
        • 0x18abc:$sqlite3step: 68 34 1C 7B E1
        • 0x189d8:$sqlite3text: 68 38 2A 90 C5
        • 0x18afd:$sqlite3text: 68 38 2A 90 C5
        • 0x189eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18b13:$sqlite3blob: 68 53 D8 7F 8C
        00000001.00000002.796802403.0000000000052000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.msdt.exe.556f834.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              13.0.dNeoJAgJU5.exe.370000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                13.2.dNeoJAgJU5.exe.370000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  17.2.msdt.exe.556f834.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    14.0.dNeoJAgJU5.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5724

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeMetadefender: Detection: 25%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeReversingLabs: Detection: 58%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: dNeoJAgJU5.exeVirustotal: Detection: 50%Perma Link
                      Source: dNeoJAgJU5.exeMetadefender: Detection: 25%Perma Link
                      Source: dNeoJAgJU5.exeReversingLabs: Detection: 58%
                      Yara detected FormBookShow sources
                      Source: Yara matchFile source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                      Source: dNeoJAgJU5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: dNeoJAgJU5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
                      Source: Binary string: msdt.pdbGCTL source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdbUGP source: dNeoJAgJU5.exe, 0000000E.00000002.847661435.0000000000F20000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.910826461.0000000005040000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: dNeoJAgJU5.exe, msdt.exe
                      Source: Binary string: msdt.pdb source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 4x nop then pop esi
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 4x nop then pop edi
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: www.bucksnortneola.com/gw2/
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://ocsp.comodoca.com0#
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
                      Source: dNeoJAgJU5.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
                      Source: explorer.exe, 00000010.00000000.803168317.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: explorer.exe, 00000010.00000000.818261023.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: dNeoJAgJU5.exeString found in binary or memory: https://sectigo.com/CPS0D
                      Source: dNeoJAgJU5.exeString found in binary or memory: https://sectigo.com/CPS0U
                      Source: dNeoJAgJU5.exeString found in binary or memory: https://secure.comodo.com/CPS0L
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798370224.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected FormBookShow sources
                      Source: Yara matchFile source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess Stats: CPU usage > 98%
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419D60 NtCreateFile,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419E10 NtReadFile,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419E90 NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419F40 NtAllocateVirtualMemory,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419D5A NtCreateFile,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419E8B NtClose,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00419F3A NtAllocateVirtualMemory,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F898F0 NtReadVirtualMemory,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89860 NtQuerySystemInformation,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89840 NtDelayExecution,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F899A0 NtCreateSection,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A50 NtCreateFile,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A20 NtResumeThread,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A00 NtProtectVirtualMemory,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F895D0 NtClose,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89540 NtReadFile,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F896E0 NtFreeVirtualMemory,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89660 NtAllocateVirtualMemory,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F897A0 NtUnmapViewOfSection,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89780 NtMapViewOfSection,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89710 NtQueryInformationToken,LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F898A0 NtWriteVirtualMemory,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8B040 NtSuspendThread,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89820 NtEnumerateKey,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F899D0 NtCreateProcessEx,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89950 NtQueueApcThread,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A80 NtOpenDirectoryObject,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89A10 NtQuerySection,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8A3B0 NtGetContextThread,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89B00 NtSetValueKey,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F895F0 NtQueryInformationFile,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89560 NtWriteFile,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8AD30 NtSetContextThread,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89520 NtWaitForSingleObject,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F896D0 NtCreateKey,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89670 NtQueryInformationProcess,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89650 NtQueryValueKey,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89610 NtEnumerateValueKey,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89FE0 NtCreateMutant,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8A770 NtOpenThread,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89770 NtSetInformationFile,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89760 NtOpenProcess,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F89730 NtQueryVirtualMemory,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8A710 NtOpenProcessToken,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9540 NtReadFile,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A95D0 NtClose,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9710 NtQueryInformationToken,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9780 NtMapViewOfSection,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9FE0 NtCreateMutant,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9650 NtQueryValueKey,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A96D0 NtCreateKey,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A99A0 NtCreateSection,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9840 NtDelayExecution,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9860 NtQuerySystemInformation,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A50 NtCreateFile,LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9520 NtWaitForSingleObject,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AAD30 NtSetContextThread,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9560 NtWriteFile,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A95F0 NtQueryInformationFile,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AA710 NtOpenProcessToken,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9730 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9760 NtOpenProcess,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AA770 NtOpenThread,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9770 NtSetInformationFile,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A97A0 NtUnmapViewOfSection,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9610 NtEnumerateValueKey,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9670 NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9950 NtQueueApcThread,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A99D0 NtCreateProcessEx,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9820 NtEnumerateKey,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AB040 NtSuspendThread,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A98A0 NtWriteVirtualMemory,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A98F0 NtReadVirtualMemory,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9B00 NtSetValueKey,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050AA3B0 NtGetContextThread,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A00 NtProtectVirtualMemory,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A10 NtQuerySection,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A20 NtResumeThread,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050A9A80 NtOpenDirectoryObject,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9D60 NtCreateFile,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9E90 NtClose,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9E10 NtReadFile,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9F40 NtAllocateVirtualMemory,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9D5A NtCreateFile,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9E8B NtClose,
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB9F3A NtAllocateVirtualMemory,
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_007018C0
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_0070FA20
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_00701CF0
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_0070F398
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_04BC0040
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_04BC6CC0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00401030
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041D8BA
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041D988
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041E2F2
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_004012FB
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041DA9E
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00402D88
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00402D90
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409E40
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041DE31
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409E3B
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041D719
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CFA3
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CFA6
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00402FB0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041DFB0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B090
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01001002
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0101E824
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010120A8
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F64120
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010128EC
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4F900
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01012B28
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100DBD2
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FFFA2B
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010003DA
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FF23E3
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7ABD8
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7EBB0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010122AE
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6AB40
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01012D07
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01011D55
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01002D82
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010125DD
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5841F
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5D5E0
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100D466
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F72581
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004496
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F40D20
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F66E30
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0101DFCE
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01011FF1
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100D616
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01012EF7
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05132D07
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05060D20
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05131D55
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05092581
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05122D82
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051325DD
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0507D5E0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0507841F
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512D466
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508B477
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05124496
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0513DFCE
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05131FF1
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512D616
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05086E30
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05132EF7
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0506F900
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05084120
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050899BF
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05121002
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0513E824
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508A830
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0507B090
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050920A0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051320A8
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051328EC
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508A309
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05132B28
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0508AB40
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0510CB4F
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0509EBB0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0512DBD2
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051203DA
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0509ABD8
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051123E3
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_0511FA2B
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_051322AE
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_05124AEF
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBE2F2
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA2D88
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA2D90
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA9E40
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA9E3B
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCFA6
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EA2FB0
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0506B150 appears 136 times
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: String function: 00F4B150 appears 133 times
                      Source: dNeoJAgJU5.exeStatic PE information: invalid certificate
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilename vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798768143.0000000000BC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798370224.00000000007CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWzjqbfipybrt.dll" vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802828882.0000000004970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798858613.0000000000C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 00000001.00000002.799715602.000000000346D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAwbznzeq.dll2 vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilename vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilename vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 0000000E.00000002.848550242.00000000011CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeBinary or memory string: OriginalFilenameConsoleApp15.exeB vs dNeoJAgJU5.exe
                      Source: dNeoJAgJU5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000001.00000002.801702027.00000000036B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000011.00000002.909870472.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000001.00000002.800519998.0000000003546000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000002.847561501.0000000000EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000000.795869224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000011.00000002.910711070.0000000004C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000001.00000002.801275490.000000000361B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000002.846851933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 0000000E.00000002.848641291.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 00000011.00000002.910769999.0000000004E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 1.2.dNeoJAgJU5.exe.3546d98.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.0.dNeoJAgJU5.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                      Source: 14.2.dNeoJAgJU5.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                      Source: dNeoJAgJU5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: dNeoJAgJU5.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/3@0/0
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dNeoJAgJU5.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJump to behavior
                      Source: dNeoJAgJU5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: dNeoJAgJU5.exeVirustotal: Detection: 50%
                      Source: dNeoJAgJU5.exeMetadefender: Detection: 25%
                      Source: dNeoJAgJU5.exeReversingLabs: Detection: 58%
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile read: C:\Users\user\Desktop\dNeoJAgJU5.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\dNeoJAgJU5.exe 'C:\Users\user\Desktop\dNeoJAgJU5.exe'
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
                      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
                      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe'
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: dNeoJAgJU5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: dNeoJAgJU5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp
                      Source: Binary string: msdt.pdbGCTL source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdbUGP source: dNeoJAgJU5.exe, 0000000E.00000002.847661435.0000000000F20000.00000040.00000001.sdmp, msdt.exe, 00000011.00000002.910826461.0000000005040000.00000040.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: dNeoJAgJU5.exe, msdt.exe
                      Source: Binary string: msdt.pdb source: dNeoJAgJU5.exe, 0000000E.00000002.848858415.0000000002C20000.00000040.00000001.sdmp
                      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.813100671.0000000005A00000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: dNeoJAgJU5.exe, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: dNeoJAgJU5.exe.1.dr, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.dNeoJAgJU5.exe.50000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.dNeoJAgJU5.exe.50000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.2.dNeoJAgJU5.exe.370000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.dNeoJAgJU5.exe.370000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.0.dNeoJAgJU5.exe.4e0000.2.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.0.dNeoJAgJU5.exe.4e0000.0.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.2.dNeoJAgJU5.exe.4e0000.1.unpack, Ubntsxgpdyqmjn.Attributes/ExpressionWatcherAttribute.cs.Net Code: FindProduct System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Yara detected Costura Assembly LoaderShow sources
                      Source: Yara matchFile source: dNeoJAgJU5.exe, type: SAMPLE
                      Source: Yara matchFile source: 00000001.00000002.796802403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795971862.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.794448799.0000000000372000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.795210062.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.641852004.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.846927570.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.910650632.0000000004BF6000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.911108077.000000000556F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.793684008.0000000000372000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dNeoJAgJU5.exe PID: 7144, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dNeoJAgJU5.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dNeoJAgJU5.exe PID: 4904, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe, type: DROPPED
                      Source: Yara matchFile source: 17.2.msdt.exe.556f834.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.dNeoJAgJU5.exe.370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.dNeoJAgJU5.exe.370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.msdt.exe.556f834.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.4e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.dNeoJAgJU5.exe.4e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.dNeoJAgJU5.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dNeoJAgJU5.exe.4e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.dNeoJAgJU5.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00417B68 push ebx; ret
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CEB5 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CF6C push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CF02 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0041CF0B push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_004167E2 push esi; retf
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0040C78D push ecx; iretd
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F9D0D1 push ecx; ret
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_050BD0D1 push ecx; ret
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB7B68 push ebx; ret
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCEB5 push eax; ret
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EB67E2 push esi; retf
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EAC78D push ecx; iretd
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCF6C push eax; ret
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCF0B push eax; ret
                      Source: C:\Windows\SysWOW64\msdt.exeCode function: 17_2_00EBCF02 push eax; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.99020457416
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.99020457416
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeFile created: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE6
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                      Tries to detect virtualization through RDTSC time measurementsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000EA98E4 second address: 0000000000EA98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000EA9B5E second address: 0000000000EA9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409A90 rdtsc
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exe TID: 4732Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\explorer.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeThread delayed: delay time: 922337203685477
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: explorer.exe, 00000010.00000000.816929944.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: explorer.exe, 00000010.00000000.817062872.000000000A64D000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATALL
                      Source: explorer.exe, 00000010.00000000.813704987.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000010.00000000.816929944.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: dNeoJAgJU5.exe, 00000001.00000002.798914394.00000000023F1000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: explorer.exe, 00000010.00000000.836654921.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: explorer.exe, 00000010.00000000.817203156.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                      Source: explorer.exe, 00000010.00000000.836654921.0000000004710000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
                      Source: dNeoJAgJU5.exe, 00000001.00000002.802910334.0000000004A30000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.812979043.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00409A90 rdtsc
                      Source: C:\Users\user\Desktop\dNeoJAgJU5.exeCode function: 1_2_00701230 LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6B8E4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6B8E4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F440E1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F458EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FDB8D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7F0BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7F0BF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7F0BF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F890AF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F720A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49080 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC3884 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC3884 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_010049A4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F60050 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F60050 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A830 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7002D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5B02A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC7016 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01014015 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01014015 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FD41E8 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4B1E1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4B1E1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4B1E1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC51BE mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F699BF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F761A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F761A0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC69A6 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F72990 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7A185 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01002073 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6C182 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01011074 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4B171 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4B171 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4C962 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6B944 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6B944 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7513A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7513A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F64120 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F64120 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49100 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F72AE4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100131B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F72ACB mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5AAB0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5AAB0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7FAB0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F452A5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01018B58 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7D294 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7D294 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F8927A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100138A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FFB260 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FFB260 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01015BA5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FD4257 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F49240 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F84A2C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F84A2C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A229 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4AA16 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4AA16 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F45210 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F45210 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F45210 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F45210 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F63A1C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F58A0A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F703E2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100AA16 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100AA16 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FF23E3 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FF23E3 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FF23E3 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6DBE9 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC53CA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC53CA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100EA55 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F74BAD mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F74BAD mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F74BAD mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F72397 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01018A62 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F7B390 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F51B8F mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F51B8F mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FFD380 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F73B7A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F73B7A mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4DB60 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4F358 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F4DB40 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01004AEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F6A309 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC6CF0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC6CF0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00FC6CF0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_01018D34 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_0100E539 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exeCode function: 14_2_00F5849B mov eax