Windows Analysis Report
diatomaceous.dat.dll

Overview

General Information

Sample Name: diatomaceous.dat.dll
Analysis ID: 719511
MD5: 2e7f90e0c595d88d28f9fd979ccfcf33
SHA1: 8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256: e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Tags: dll
Infos:

Detection

Qbot
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: diatomaceous.dat.dll ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll Virustotal: Detection: 77% Perma Link
Source: diatomaceous.dat.dll Metadefender: Detection: 44% Perma Link
Source: diatomaceous.dat.dll Joe Sandbox ML: detected
Source: 8.2.wermgr.exe.e00000.0.unpack Malware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA82E60 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,Concurrency::cancel_current_task,std::ios_base::_Ios_base_dtor, 0_2_6DA82E60
Source: diatomaceous.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: diatomaceous.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA994B5 FindFirstFileExW, 0_2_6DA994B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073C123 FindFirstFileW,FindNextFileW, 3_2_0073C123
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00735D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject, 3_2_00735D1E

System Summary

barindex
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
Source: diatomaceous.dat.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA904A0 0_2_6DA904A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA9CC86 0_2_6DA9CC86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA95CF6 0_2_6DA95CF6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA97909 0_2_6DA97909
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA948FC 0_2_6DA948FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8F07E 0_2_6DA8F07E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8B200 0_2_6DA8B200
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007435EE 3_2_007435EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007429E9 3_2_007429E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007482A0 3_2_007482A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074676F 3_2_0074676F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_007463B0 3_2_007463B0
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DA81730 appears 87 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DA89CA0 appears 41 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose, 3_2_0073D538
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 3_2_0073D9DE
Source: diatomaceous.dat.dll.7.dr Static PE information: No import functions for PE file found
Source: diatomaceous.dat.dll Binary or memory string: OriginalFilenamegfngfhn sgedrl;fkweklnmgdfw8 vs diatomaceous.dat.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\diatomaceous.dat.dll F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
Source: diatomaceous.dat.dll.7.dr Static PE information: Data appended to the last section found
Source: diatomaceous.dat.dll ReversingLabs: Detection: 73%
Source: diatomaceous.dat.dll Virustotal: Detection: 77%
Source: diatomaceous.dat.dll Metadefender: Detection: 44%
Source: diatomaceous.dat.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Bwkwui Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@18/1@0/0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 3_2_0073E485
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification, 3_2_0073BAF6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{8BD38B93-62A1-471F-A5AB-B91B963BC96D}
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\{6A583BDA-7359-43D4-819F-474F9705BF6E}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{6A583BDA-7359-43D4-819F-474F9705BF6E}
Source: diatomaceous.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: diatomaceous.dat.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89B9F push ecx; ret 0_2_6DA89BB2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074B066 push ebx; ret 3_2_0074B067
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074ADB4 push cs; iretd 3_2_0074AE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074AEB6 push cs; iretd 3_2_0074AE8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0074CB95 push esi; iretd 3_2_0074CB9A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073EF38 LoadLibraryA,GetProcAddress, 3_2_0073EF38
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
Source: C:\Windows\SysWOW64\wermgr.exe File created: C:\Users\user\Desktop\diatomaceous.dat.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5020 base: 1173C50 value: E9 42 26 E9 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4768 base: 1173C50 value: E9 42 26 C9 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4860 base: 1173C50 value: E9 42 26 C9 FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEJ
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXEM
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEM
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXER
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXEL
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEK
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: wermgr.exe, 00000007.00000003.601336347.0000000004E12000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.601238980.0000000004E12000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5068 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 476 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 64 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5188 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5220 Thread sleep time: -83000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 5016 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 2100 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wermgr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073DDE7 GetSystemInfo, 3_2_0073DDE7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA994B5 FindFirstFileExW, 0_2_6DA994B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073C123 FindFirstFileW,FindNextFileW, 3_2_0073C123
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA89EC6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073EF38 LoadLibraryA,GetProcAddress, 3_2_0073EF38
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA9A32E GetProcessHeap, 0_2_6DA9A32E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA91610 mov ecx, dword ptr fs:[00000030h] 0_2_6DA91610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA99229 mov eax, dword ptr fs:[00000030h] 0_2_6DA99229
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA89EC6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8A11D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6DA8A11D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA8D8C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DA8D8C3

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1030000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: BF0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: BE0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1030000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: BF0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: BE0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6DA9BFAE
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6DA9C73D
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA9C614
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA9C1A9
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6DA9C912
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA96812
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DA9C843
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6DA9C3C1
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA9C336
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA96349
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA9C29B
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DA9C250
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89CE5 cpuid 0_2_6DA89CE5
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DA89FEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6DA89FEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_0073DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW, 3_2_0073DFC2
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bdagent.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vsserv.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgcsrvx.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY