Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pebbles.dat.dll

Overview

General Information

Sample Name:pebbles.dat.dll
Analysis ID:715156
MD5:d89521adaf6418e6ebe43b1a1a9d2af9
SHA1:38cac8495ef43e51cdac1cb5e85d10137b365bee
SHA256:1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Tags:dll
Infos:

Detection

Qbot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Entry point lies outside standard sections
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Registers a DLL
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5860 cmdline: loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5896 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5916 cmdline: rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wermgr.exe (PID: 5996 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • regsvr32.exe (PID: 5904 cmdline: regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • wermgr.exe (PID: 5988 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 5924 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 6004 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 5968 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6040 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x1ca14:$a4: %u;%u;%u;
    • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x1cdd8:$a6: %u&%s&%u
    • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
    • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
    • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
    • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.wermgr.exe.2d40000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        8.2.wermgr.exe.2d40000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        8.2.wermgr.exe.2d40000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
        • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
        • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        8.0.wermgr.exe.2d40000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          8.0.wermgr.exe.2d40000.0.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 61 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Execute DLL with spoofed extension
          Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 5860, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, ProcessId: 5896, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: pebbles.dat.dllReversingLabs: Detection: 16%
          Machine Learning detection for sample
          Source: pebbles.dat.dllJoe Sandbox ML: detected
          Source: pebbles.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: pebbles.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.252814839.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.253212407.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.252999477.000000006D954000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316C123 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346C123 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03165D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: pebbles.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317676F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031763B0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031782A0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031735EE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031729E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347676F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034763B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034782A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034735EE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034729E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
          Source: pebbles.dat.dll.9.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
          Source: pebbles.dat.dll.9.drStatic PE information: Data appended to the last section found
          Source: pebbles.dat.dllReversingLabs: Detection: 16%
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\QyioamjynJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winDLL@20/1@0/0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{87A9C091-A3AF-4261-9AFC-CA51D21F1994}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{5CABA7A4-044A-4BD5-8AE5-94537A2F3136}
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5CABA7A4-044A-4BD5-8AE5-94537A2F3136}
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: pebbles.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.252814839.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.253212407.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.252999477.000000006D954000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317CB95 push esi; iretd
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317AEB6 push cs; iretd
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317ADB4 push cs; iretd
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317B066 push ebx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347CB95 push esi; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347AEB6 push cs; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347ADB4 push cs; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347B066 push ebx; ret
          Source: pebbles.dat.dllStatic PE information: section name: .reloc6s
          Source: pebbles.dat.dllStatic PE information: section name: .hata
          Source: pebbles.dat.dll.9.drStatic PE information: section name: .reloc6s
          Source: pebbles.dat.dll.9.drStatic PE information: section name: .hata
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316EF38 LoadLibraryA,GetProcAddress,
          Source: initial sampleStatic PE information: section where entry point is pointing to: .data
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: initial sampleStatic PE information: section name: .data entropy: 7.0153365923230595
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\Desktop\pebbles.dat.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5988 base: 983C50 value: E9 42 26 2E 02
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5996 base: 983C50 value: E9 42 26 3C 02
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6004 base: 983C50 value: E9 42 26 03 02
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEN
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE,
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE+
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE*
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEL
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5908Thread sleep count: 135 > 30
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5960Thread sleep count: 106 > 30
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5992Thread sleep count: 59 > 30
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 6000Thread sleep count: 41 > 30
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 6052Thread sleep time: -90000s >= -30000s
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 6064Thread sleep time: -135000s >= -30000s
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316DDE7 GetSystemInfo,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316C123 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346C123 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316EF38 LoadLibraryA,GetProcAddress,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 2C90000
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 2D70000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 29E0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2C90000 protect: page read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2D70000 protect: page read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 29E0000 protect: page read and write
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316A1F8 GetSystemTimeAsFileTime,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts3
          Native API          		1
          DLL Side-Loading          		311
          Process Injection          		1
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Virtualization/Sandbox Evasion          		LSASS Memory11
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
          Process Injection          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Regsvr32          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Rundll32          		Cached Domain Credentials15
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 715156 Sample: pebbles.dat.dll Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        17 3 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\pebbles.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          pebbles.dat.dll17%ReversingLabs
          pebbles.dat.dll100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.rundll32.exe.3460000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          5.2.rundll32.exe.4a60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          3.2.regsvr32.exe.3160000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.2.wermgr.exe.2d40000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          7.0.wermgr.exe.2c60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.0.wermgr.exe.2d40000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          7.2.wermgr.exe.2c60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          9.0.wermgr.exe.29b0000.0.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:715156
          Start date and time:2022-10-03 17:26:43 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 25s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:pebbles.dat.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:22
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal96.troj.evad.winDLL@20/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 25.4% (good quality ratio 24.2%)
          • Quality average: 77.4%
          • Quality standard deviation: 26%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Override analysis time to 240s for rundll32

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): fs.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          17:27:47API Interceptor9x Sleep call for process: wermgr.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\Desktop\pebbles.dat.dll

          Download File
          Process:C:\Windows\SysWOW64\wermgr.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):4.667100449217363
          Encrypted:false
          SSDEEP:96:UORfeVXzt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD:UORAjMkXIKPD
          MD5:21928784DA52AB71A60AF59EFA95CDAD
          SHA1:4FF8ECD9B0370614EA0C3D8583A51DF9D2481844
          SHA-256:285861283C9DC3F2D892B3CC186AD64CF17217D394B227A70B6C657C39D6568B
          SHA-512:CD79DFD111B8E1E8A3EB2F7E57DFB71D76AF677D6696564C15413391D7734F0C4A10D3987A3D4D9739C082C0710BC5B8566A4D4AB295EA501B5D909D0294C3F8
          Malicious:true
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[..[..~[...[..~[..|Z..~[Rich..~[........................PE..L.....:c...........!.........~..............0............................................@..........................p.......A..P................................6......p...........................0...@............@...............................data....a.......b.................. ....reloc6s.............f.............. ..`CODE.........0...........................idata..0....@......................@..@.hata....5...P...6..................@..@DATA....T............J..............@..@.rsrc................L..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Entropy (8bit):6.9607693404023925
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:pebbles.dat.dll
          File size:493056
          MD5:d89521adaf6418e6ebe43b1a1a9d2af9
          SHA1:38cac8495ef43e51cdac1cb5e85d10137b365bee
          SHA256:1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
          SHA512:703db1e11372070dbbabc8a96c8600f079273e4dfad4e5437a5fd4b046187cf9f24b47ad68fadaf3bcf7fb1dcad8ecf98edd299281938eb144c4c6c29d68461f
          SSDEEP:12288:Y2X+B4HKFVxT5jXAcOf35HI9H5RGqdIhr54f:L5EVl5DC4HDbd
          TLSH:DBA48D0AB612C430D66910B12876BBE047ACBD325E751EDF73805F778A641F77A29F22
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[...[..~[...[..~[..|Z..~[Rich..~

          File Icon

          Icon Hash:74f0e4ecccdce0e4

          Static PE Info

          General

          Entrypoint:0x100382d9
          Entrypoint Section:.data
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x633AE6FF [Mon Oct 3 13:43:27 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:8877a7b766af3aace7fcad8462a174cc

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          cmp dword ptr [ebp+0Ch], 01h
          jne 00007F5C910C8327h
          call 00007F5C910C8844h
          push dword ptr [ebp+10h]
          push dword ptr [ebp+0Ch]
          push dword ptr [ebp+08h]
          call 00007F5C910C81D3h
          add esp, 0Ch
          pop ebp
          retn 000Ch
          cmp ecx, dword ptr [10001D84h]
          jne 00007F5C910C8323h
          ret
          jmp 00007F5C910C892Dh
          mov ecx, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], ecx
          pop ecx
          pop edi
          pop edi
          pop esi
          pop ebx
          mov esp, ebp
          pop ebp
          push ecx
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10001D84h]
          xor eax, ebp
          push eax
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10001D84h]
          xor eax, ebp
          push eax
          mov dword ptr [ebp-10h], esp
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push ecx
          lea ecx, dword ptr [esp+08h]
          sub ecx, eax
          and ecx, 0Fh
          add eax, ecx
          sbb ecx, ecx
          or eax, ecx

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x570100x10f.data
          IMAGE_DIRECTORY_ENTRY_IMPORT0x741880x50.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x1e0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x36b4.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x311c00x70.data
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x312300x40.data
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x740000x184.idata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .data0x10000x5611f0x56200False0.6558956594702468data7.0153365923230595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc6s0x580000x1a0f90x1a200False0.3239383971291866COM executable for DOS6.066972398111804IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          CODE0x730000x2000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata0x740000xa300xc00False0.404296875data4.897788340416598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .hata0x750000x35e70x3600False0.7127459490740741data5.561450278641814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          DATA0x790000x540x200False0.162109375data1.2433795844140498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x7a0000x1e00x200False0.53125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x7b0000x36b40x3800False0.7310267857142857data6.633507194727193IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_MANIFEST0x7a0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllSleep, DebugBreak, GetCurrentProcess, lstrlenA, GetCurrentThreadId, lstrcmpA, VirtualAlloc, GetVersion, GetCommandLineA, GetFileAttributesA, GetCurrentThread, GetCurrentProcessId, GetModuleHandleW, lstrcmpiA, CreateFileW, CloseHandle, GetModuleHandleA, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, MoveFileExW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, WriteConsoleW
          ADVAPI32.dllCryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA
          SHLWAPI.dllPathFindExtensionA, PathFindOnPathA, PathFileExistsA, PathFindSuffixArrayA, StrToIntA

          Exports

          NameOrdinalAddress
          DllRegisterServer10x1006eb00
          DllUnregisterServer20x1006f6f0
          bewailable30x10058e00
          courtlet40x10063590
          noncensored50x10067e60
          rhizocarpean60x100605f0
          stine70x10069040
          strigiles80x1005de90
          targetlike90x1006b820
          trimethoxy100x10061fd0

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:17:27:36
          Start date:03/10/2022
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
          Imagebase:0x1200000
          File size:116736 bytes
          MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Target ID:1
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6edaf0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Imagebase:0xa60000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:3
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline:regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Imagebase:0x8c0000
          File size:20992 bytes
          MD5 hash:426E7499F6A7346F0410DEAD0805586B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:4
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:5
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:6
          Start time:17:27:40
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:17:27:43
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x970000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:moderate

          General

          Target ID:8
          Start time:17:27:43
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x970000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:9
          Start time:17:27:43
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x970000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:10
          Start time:17:27:44
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Disassembly

          No disassembly