Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
diatomaceous.dat.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\diatomaceous.dat.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll32.exe
|
loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
|
|
|
|
C:\Windows\SysWOW64\regsvr32.exe
|
regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
|
|
|
|
C:\Windows\SysWOW64\wermgr.exe
|
C:\Windows\SysWOW64\wermgr.exe
|
|
|
|
C:\Windows\SysWOW64\wermgr.exe
|
C:\Windows\SysWOW64\wermgr.exe
|
|
|
|
C:\Windows\SysWOW64\wermgr.exe
|
C:\Windows\SysWOW64\wermgr.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
101366b1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
258cb6ff
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
27cd9683
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
9f71f1e6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
e279be6c
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
5ac5d909
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
9d30d19a
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
6f5a0947
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ifwliuvmpg
|
101366b1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
b501c7c4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
809e178a
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
82df37f6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
3a635093
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
476b1f19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
ffd7787c
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
382270ef
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
ca48a832
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
b501c7c4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Eaiaomldskz
|
b501c7c4
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2FA0000
|
trusted library allocation
|
page read and write
|
|
|
|
B90000
|
trusted library allocation
|
page read and write
|
|
|
|
4820000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
2CC0000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
730000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
1000000
|
system
|
page execute and read and write
|
|
|
|
400000
|
trusted library allocation
|
page read and write
|
|
|
|
E00000
|
system
|
page execute and read and write
|
|
|
|
E00000
|
system
|
page execute and read and write
|
|
|
|
E00000
|
system
|
page execute and read and write
|
|
|
|
E00000
|
system
|
page execute and read and write
|
|
|
|
24420660000
|
heap
|
page read and write
|
||
|
4DD0000
|
trusted library allocation
|
page read and write
|
||
|
4D43000
|
heap
|
page read and write
|
||
|
4D4F000
|
heap
|
page read and write
|
||
|
4DE1000
|
trusted library allocation
|
page read and write
|
||
|
4DD0000
|
trusted library allocation
|
page read and write
|
||
|
4E32000
|
trusted library allocation
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|
||
|
24420768000
|
heap
|
page read and write
|
||
|
3004000
|
heap
|
page read and write
|
||
|
BC0000
|
unkown
|
page readonly
|
||
|
BBC000
|
stack
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|
||
|
31A1000
|
trusted library allocation
|
page read and write
|
||
|
5390000
|
trusted library allocation
|
page read and write
|
||
|
4DE1000
|
trusted library allocation
|
page read and write
|
||
|
DF0000
|
unkown
|
page read and write
|
||
|
4DD0000
|
trusted library allocation
|
page read and write
|
||
|
4D4F000
|
heap
|
page read and write
|
||
|
4D65000
|
heap
|
page read and write
|
||
|
4DD0000
|
trusted library allocation
|
page read and write
|
||
|
163F000
|
stack
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|
||
|
5390000
|
trusted library allocation
|
page read and write
|
||
|
6DAB3000
|
unkown
|
page read and write
|
||
|
244209F0000
|
trusted library allocation
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|
||
|
BD0000
|
unkown
|
page readonly
|
||
|
4DD0000
|
trusted library allocation
|
page read and write
|
||
|
4E12000
|
trusted library allocation
|
page read and write
|
||
|
111E000
|
stack
|
page read and write
|
||
|
4AE000
|
stack
|
page read and write
|
||
|
BC0000
|
unkown
|
page readonly
|
||
|
BB0000
|
unkown
|
page readonly
|
||
|
49E1000
|
heap
|
page read and write
|
||
|
460BE7C000
|
stack
|
page read and write
|
||
|
4E12000
|
trusted library allocation
|
page read and write
|
||
|
460C1FF000
|
stack
|
page read and write
|
||
|
5390000
|
trusted library allocation
|
page read and write
|
||
|
244206F0000
|
trusted library allocation
|
page read and write
|
||
|
4DE1000
|
trusted library allocation
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|
||
|
4DD0000
|
trusted library allocation
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|
||
|
31A0000
|
trusted library allocation
|
page read and write
|