Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
diatomaceous.dat.dll

Overview

General Information

Sample Name:diatomaceous.dat.dll
Analysis ID:719511
MD5:2e7f90e0c595d88d28f9fd979ccfcf33
SHA1:8ff540ba601429c2ee0a444b0d2ec2650d178d23
SHA256:e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
Tags:dll
Infos:

Detection

Qbot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5992 cmdline: loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6116 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 244 cmdline: rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wermgr.exe (PID: 4768 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • regsvr32.exe (PID: 6096 cmdline: regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • wermgr.exe (PID: 5020 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 3908 cmdline: rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 4860 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 1540 cmdline: rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x1ba14:$a4: %u;%u;%u;
    • 0x1bf50:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x1bdd8:$a6: %u&%s&%u
    • 0x80c6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x8404:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
    • 0x2730:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
    • 0x2187:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
    • 0xbcee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.wermgr.exe.e00000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        8.0.wermgr.exe.e00000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        8.0.wermgr.exe.e00000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
        • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
        • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        4.2.rundll32.exe.4820000.1.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          4.2.rundll32.exe.4820000.1.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 61 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Execute DLL with spoofed extension
          Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 5992, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1, ProcessId: 6116, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: diatomaceous.dat.dllReversingLabs: Detection: 73%
          Source: diatomaceous.dat.dllVirustotal: Detection: 77%Perma Link
          Source: diatomaceous.dat.dllMetadefender: Detection: 44%Perma Link
          Machine Learning detection for sample
          Source: diatomaceous.dat.dllJoe Sandbox ML: detected
          Source: 8.2.wermgr.exe.e00000.0.unpackMalware Configuration Extractor: Qbot {"Bot id": "BB", "Campaign": "1664535088", "Version": "403.902", "C2 list": ["41.107.71.201:443", "105.101.230.16:443", "105.108.239.60:443", "196.64.227.5:8443", "41.249.158.221:995", "134.35.14.5:443", "113.170.117.251:443", "187.193.219.248:443", "122.166.244.116:443", "154.237.129.123:995", "41.98.229.81:443", "186.48.199.243:995", "102.156.3.13:443", "41.97.190.189:443", "197.207.191.164:443", "105.184.14.132:995", "196.207.146.151:443", "105.158.113.15:443", "196.89.42.89:995", "86.98.156.229:993", "177.174.119.195:32101", "81.156.194.147:2078", "80.253.189.55:443", "197.49.175.67:995", "177.45.78.52:993", "89.187.169.77:443", "196.92.59.242:995", "41.13.200.19:443", "41.97.195.237:443", "92.191.56.11:2222", "154.70.53.202:443", "210.186.37.98:50002"]}
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA82E60 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,Concurrency::cancel_current_task,std::ios_base::_Ios_base_dtor,
          Source: diatomaceous.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: diatomaceous.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA994B5 FindFirstFileExW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073C123 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00735D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: diatomaceous.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA904A0
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA9CC86
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA95CF6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA97909
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA948FC
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8F07E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8B200
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007435EE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007429E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007482A0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074676F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_007463B0
          Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DA81730 appears 87 times
          Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DA89CA0 appears 41 times
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,
          Source: diatomaceous.dat.dll.7.drStatic PE information: No import functions for PE file found
          Source: diatomaceous.dat.dllBinary or memory string: OriginalFilenamegfngfhn sgedrl;fkweklnmgdfw8 vs diatomaceous.dat.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\diatomaceous.dat.dll F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
          Source: diatomaceous.dat.dll.7.drStatic PE information: Data appended to the last section found
          Source: diatomaceous.dat.dllReversingLabs: Detection: 73%
          Source: diatomaceous.dat.dllVirustotal: Detection: 77%
          Source: diatomaceous.dat.dllMetadefender: Detection: 44%
          Source: diatomaceous.dat.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\BwkwuiJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winDLL@18/1@0/0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{8BD38B93-62A1-471F-A5AB-B91B963BC96D}
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{6A583BDA-7359-43D4-819F-474F9705BF6E}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6A583BDA-7359-43D4-819F-474F9705BF6E}
          Source: diatomaceous.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: y'E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: loaddll32.exe, 00000000.00000002.321283455.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.320776013.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.320890751.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.320917782.000000006DAA4000.00000002.00000001.01000000.00000003.sdmp, diatomaceous.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000004.00000003.307936128.0000000003011000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307949517.000000000301B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.307921567.0000000003004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.320543762.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.321666613.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.321909283.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.322091592.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: diatomaceous.dat.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89B9F push ecx; ret
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074B066 push ebx; ret
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074ADB4 push cs; iretd
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074AEB6 push cs; iretd
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0074CB95 push esi; iretd
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073EF38 LoadLibraryA,GetProcAddress,
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\Desktop\diatomaceous.dat.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5020 base: 1173C50 value: E9 42 26 E9 FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4768 base: 1173C50 value: E9 42 26 C9 FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4860 base: 1173C50 value: E9 42 26 C9 FF
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEJ
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXEM
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXEM
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXER
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXEL
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEK
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
          Source: wermgr.exe, 00000007.00000003.323021064.0000000004DD0000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324329003.0000000004DD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
          Source: wermgr.exe, 00000007.00000003.601336347.0000000004E12000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.601238980.0000000004E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
          Source: wermgr.exe, 00000007.00000003.323039882.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.324363967.0000000004D56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5068Thread sleep count: 134 > 30
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 476Thread sleep count: 113 > 30
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 64Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5188Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5220Thread sleep time: -83000s >= -30000s
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5016Thread sleep count: 47 > 30
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 2100Thread sleep count: 45 > 30
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wermgr.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\System32\loaddll32.exeAPI coverage: 6.6 %
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073DDE7 GetSystemInfo,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA994B5 FindFirstFileExW,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073C123 FindFirstFileW,FindNextFileW,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073EF38 LoadLibraryA,GetProcAddress,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA9A32E GetProcessHeap,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA91610 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA99229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89EC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8A11D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA8D8C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1030000
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: BF0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: BE0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1173C50
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 1030000 protect: page read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: BF0000 protect: page read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: BE0000 protect: page read and write
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
          Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89CE5 cpuid
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DA89FEC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0073DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: regsvr32.exe, 00000003.00000003.313976995.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.313977147.00000000049BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.314040424.00000000047FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.b90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2cc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.e00000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4820000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.1000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts3
          Native API          		1
          DLL Side-Loading          		311
          Process Injection          		1
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium2
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		2
          Virtualization/Sandbox Evasion          		LSASS Memory14
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
          Process Injection          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Regsvr32          		Cached Domain Credentials35
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Rundll32          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 719511 Sample: diatomaceous.dat.dll Startdate: 10/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 2 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\diatomaceous.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          diatomaceous.dat.dll73%ReversingLabsWin32.Backdoor.Quakbot
          diatomaceous.dat.dll77%VirustotalBrowse
          diatomaceous.dat.dll44%MetadefenderBrowse
          diatomaceous.dat.dll100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\Desktop\diatomaceous.dat.dll3%VirustotalBrowse
          C:\Users\user\Desktop\diatomaceous.dat.dll4%ReversingLabs
          C:\Users\user\Desktop\diatomaceous.dat.dllNaN%MetadefenderBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.2.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          9.0.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          5.2.rundll32.exe.2cc0000.1.unpack100%AviraHEUR/AGEN.1234562Download File
          9.2.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.0.wermgr.exe.e00000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          3.2.regsvr32.exe.730000.1.unpack100%AviraHEUR/AGEN.1234562Download File
          7.0.wermgr.exe.1000000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          4.2.rundll32.exe.4820000.1.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:719511
          Start date and time:2022-10-10 17:03:44 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 22s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:diatomaceous.dat.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:15
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal96.troj.evad.winDLL@18/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 73.2% (good quality ratio 68.1%)
          • Quality average: 75.3%
          • Quality standard deviation: 29.8%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\Desktop\diatomaceous.dat.dll

          Download File
          Process:C:\Windows\SysWOW64\wermgr.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):4.5939701639198445
          Encrypted:false
          SSDEEP:48:LtIesYew8vL36I8LgS72DsOA1dyqQrD1tXPFJhsppwAOY5iRYgZX0dB1mkK52wRa:aesqt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD
          MD5:C79A1334A3C60DACEE5E43B715236A17
          SHA1:825F4CA853E99E10B81ABE84A1EB2CB6CFD3E8E7
          SHA-256:F892742F6C64A8991337FADDF84FBDB25C43022AC85C8BCC30D47FEBAFEA1D87
          SHA-512:D0B15BAAD608A3EF3AC13E881B9CCA7C27A56CC735AA7324C7AA677274C9FE73FA9B438FDC1B7B2C2B8717EC8949B0ECA605DF58A504F0A705576DC0BA7AF61D
          Malicious:true
          Antivirus:
          • Antivirus: Virustotal, Detection: 3%, Browse
          • Antivirus: ReversingLabs, Detection: 4%
          • Antivirus: Metadefender, Detection: NaN%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B.[.,.[.,.[.,../.V.,..)..,..(.M.,...(.T.,.../.H.,...)...,..-.^.,.[.-.=.,..%.\.,..,.Z.,....Z.,.[...Z.,....Z.,.Rich[.,.................PE..L...n07c...........!....."..........n........@...............................@............@.............................l...l...<....`....................... ......................................p...@............@..\............................text...\!.......".................. ..`.rdata..<....@.......&..............@..@.data....,...0... ..................@....rsrc........`.......(..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Entropy (8bit):6.8621600107462
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:diatomaceous.dat.dll
          File size:393216
          MD5:2e7f90e0c595d88d28f9fd979ccfcf33
          SHA1:8ff540ba601429c2ee0a444b0d2ec2650d178d23
          SHA256:e3a2c056c730666fedabfed5e3cc2dee12d9c3ca36ac2d7c5289cfe29c125050
          SHA512:0ab199c211e7fe09b332c21da969d26ecccbd2947853c9a7793083e51c59b3aa6a765a0e1d2511c61672c49a60057a5bb05bf29eea33c074b95af55cb9e9a03f
          SSDEEP:6144:8WlZhgoMdtBYTNSlWBsAOrbd62IYQ8jjHH62uzdMPF699o9:Vl3goMdrb5J6wQ8faVn99o
          TLSH:AA846A0379D9BCB6C579123027379BE0C72DEC250BA0C9EF67D8196A4A3C2837525BE5
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B.[.,.[.,.[.,.../.V.,...)...,...(.M.,...(.T.,.../.H.,...)...,...-.^.,.[.-.=.,...%.\.,...,.Z.,.....Z.,.[...Z.,.....Z.,.Rich[.,

          File Icon

          Icon Hash:64da98ecd2ceead4

          Static PE Info

          General

          Entrypoint:0x10009b6e
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x6337306E [Fri Sep 30 18:07:42 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:5258e65ea568c264cf3e536d81339bf5

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          cmp dword ptr [ebp+0Ch], 01h
          jne 00007F6C94BF9CF7h
          call 00007F6C94BFA1B2h
          push dword ptr [ebp+10h]
          push dword ptr [ebp+0Ch]
          push dword ptr [ebp+08h]
          call 00007F6C94BF9BA3h
          add esp, 0Ch
          pop ebp
          retn 000Ch
          cmp ecx, dword ptr [10033014h]
          jne 00007F6C94BF9CF3h
          ret
          jmp 00007F6C94BFA29Bh
          mov ecx, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], ecx
          pop ecx
          pop edi
          pop edi
          pop esi
          pop ebx
          mov esp, ebp
          pop ebp
          push ecx
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10033014h]
          xor eax, ebp
          push eax
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10033014h]
          xor eax, ebp
          push eax
          mov dword ptr [ebp-10h], esp
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          int3
          int3
          int3
          int3
          push ecx
          lea ecx, dword ptr [esp+08h]
          sub ecx, eax
          and ecx, 0Fh
          add eax, ecx
          sbb ecx, ecx
          or eax, ecx
          pop ecx
          jmp 00007F6C94BFA3DFh

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x318000x6c.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3186c0x3c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000xb890.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x1da8.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2fb700x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x240000x15c.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x2215c0x22200False0.555016597985348data6.649026882960341IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x240000xe03c0xe200False0.5316993915929203data5.664939250342234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x330000x22ccc0x22000False0.8333668428308824DOS executable (block device driver \377\377\377\377\261)6.797248626276144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x560000xb8900xba00False0.17794438844086022data3.888171262767214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x620000x1da80x1e00False0.746484375data6.525986142096821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0x565880xb13PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia
          RT_ICON0x570a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRussianRussia
          RT_ICON0x57f480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRussianRussia
          RT_ICON0x587f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRussianRussia
          RT_ICON0x58d580xc4aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia
          RT_ICON0x599a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia
          RT_ICON0x5dbd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia
          RT_ICON0x601780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia
          RT_ICON0x612200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia
          RT_GROUP_ICON0x616880x84dataRussianRussia
          RT_VERSION0x562b00x2d4dataRussianRussia
          RT_MANIFEST0x617100x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllSleep, VirtualAlloc, GetCommandLineA, CreateFileW, GetFileSize, CloseHandle, CreateFileA, LocalAlloc, GetModuleFileNameA, DebugBreak, ReadFile, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, SetStdHandle, HeapSize, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, WriteConsoleW
          ADVAPI32.dllCryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA

          Exports

          NameOrdinalAddress
          DllRegisterServer10x10006510
          DllUnregisterServer20x10007d50

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          RussianRussia
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:17:04:39
          Start date:10/10/2022
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll"
          Imagebase:0xcc0000
          File size:116736 bytes
          MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:1
          Start time:17:04:39
          Start date:10/10/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7c72c0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:17:04:39
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Imagebase:0xd90000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:3
          Start time:17:04:39
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline:regsvr32.exe /s C:\Users\user\Desktop\diatomaceous.dat.dll
          Imagebase:0xe20000
          File size:20992 bytes
          MD5 hash:426E7499F6A7346F0410DEAD0805586B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.320581974.0000000000730000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.312800639.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:4
          Start time:17:04:39
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\diatomaceous.dat.dll",#1
          Imagebase:0xc50000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.312922602.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.320649129.0000000004820000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:5
          Start time:17:04:39
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllRegisterServer
          Imagebase:0xc50000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000003.313259350.0000000000B90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000002.320603133.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:6
          Start time:17:04:42
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\diatomaceous.dat.dll,DllUnregisterServer
          Imagebase:0xc50000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:17:04:44
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x1160000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000000.319688371.0000000001000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:8
          Start time:17:04:44
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x1160000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000000.319841073.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000002.322126638.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:9
          Start time:17:04:44
          Start date:10/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x1160000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000000.319924513.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000002.322491943.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          Disassembly

          No disassembly