Windows Analysis Report
pebbles.dat.dll

Overview

General Information

Sample Name: pebbles.dat.dll
Analysis ID: 715156
MD5: d89521adaf6418e6ebe43b1a1a9d2af9
SHA1: 38cac8495ef43e51cdac1cb5e85d10137b365bee
SHA256: 1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Tags: dll
Infos:

Detection

Qbot
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Entry point lies outside standard sections
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Registers a DLL
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: pebbles.dat.dll ReversingLabs: Detection: 16%
Machine Learning detection for sample
Source: pebbles.dat.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: pebbles.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: pebbles.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.252814839.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.253212407.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.252999477.000000006D954000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316C123 FindFirstFileW,FindNextFileW, 3_2_0316C123
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0346C123 FindFirstFileW,FindNextFileW, 4_2_0346C123
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_03165D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject, 3_2_03165D1E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Uses 32bit PE files
Source: pebbles.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Yara signature match
Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0317676F 3_2_0317676F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_031763B0 3_2_031763B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_031782A0 3_2_031782A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_031735EE 3_2_031735EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_031729E9 3_2_031729E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0347676F 4_2_0347676F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034763B0 4_2_034763B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034782A0 4_2_034782A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034735EE 4_2_034735EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_034729E9 4_2_034729E9
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 3_2_0316D538
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 3_2_0316D9DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0346D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 4_2_0346D538
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0346D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 4_2_0346D9DE
PE file does not import any functions
Source: pebbles.dat.dll.9.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE file overlay found
Source: pebbles.dat.dll.9.dr Static PE information: Data appended to the last section found
Source: pebbles.dat.dll ReversingLabs: Detection: 16%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Qyioamjyn Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@20/1@0/0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 3_2_0316E485
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification, 3_2_0316BAF6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{87A9C091-A3AF-4261-9AFC-CA51D21F1994}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{5CABA7A4-044A-4BD5-8AE5-94537A2F3136}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{5CABA7A4-044A-4BD5-8AE5-94537A2F3136}
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pebbles.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: pebbles.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.252814839.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.253212407.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.252999477.000000006D954000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0317CB95 push esi; iretd 3_2_0317CB9A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0317AEB6 push cs; iretd 3_2_0317AE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0317ADB4 push cs; iretd 3_2_0317AE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0317B066 push ebx; ret 3_2_0317B067
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0347CB95 push esi; iretd 4_2_0347CB9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0347AEB6 push cs; iretd 4_2_0347AE8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0347ADB4 push cs; iretd 4_2_0347AE8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0347B066 push ebx; ret 4_2_0347B067
PE file contains sections with non-standard names
Source: pebbles.dat.dll Static PE information: section name: .reloc6s
Source: pebbles.dat.dll Static PE information: section name: .hata
Source: pebbles.dat.dll.9.dr Static PE information: section name: .reloc6s
Source: pebbles.dat.dll.9.dr Static PE information: section name: .hata
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316EF38 LoadLibraryA,GetProcAddress, 3_2_0316EF38
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
Source: initial sample Static PE information: section name: .data entropy: 7.0153365923230595
Drops PE files
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\Desktop\pebbles.dat.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5988 base: 983C50 value: E9 42 26 2E 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5996 base: 983C50 value: E9 42 26 3C 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6004 base: 983C50 value: E9 42 26 03 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXEN
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE,
Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE+
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE,
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE,
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE*
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEL
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE,
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE,
Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5908 Thread sleep count: 135 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5960 Thread sleep count: 106 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5992 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 6000 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 6052 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 6064 Thread sleep time: -135000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316DDE7 GetSystemInfo, 3_2_0316DDE7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316C123 FindFirstFileW,FindNextFileW, 3_2_0316C123
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0346C123 FindFirstFileW,FindNextFileW, 4_2_0346C123
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316EF38 LoadLibraryA,GetProcAddress, 3_2_0316EF38

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2C90000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 2D70000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 29E0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2C90000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2D70000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 29E0000 protect: page read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316A1F8 GetSystemTimeAsFileTime, 3_2_0316A1F8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0316DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW, 3_2_0316DFC2
AV process strings found (often used to terminate AV products)
Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Qbot
Source: Yara match File source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Qbot
Source: Yara match File source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715156 Sample: pebbles.dat.dll Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        17 3 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\pebbles.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9
No contacted IP infos