Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
pebbles.dat.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\pebbles.dat.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll32.exe
|
loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
|
|
|
|
C:\Windows\SysWOW64\regsvr32.exe
|
regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
|
|
|
|
C:\Windows\SysWOW64\wermgr.exe
|
C:\Windows\SysWOW64\wermgr.exe
|
|
|
|
C:\Windows\SysWOW64\wermgr.exe
|
C:\Windows\SysWOW64\wermgr.exe
|
|
|
|
C:\Windows\SysWOW64\wermgr.exe
|
C:\Windows\SysWOW64\wermgr.exe
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
|
|
|
|
C:\Windows\System32\audiodg.exe
|
C:\Windows\system32\AUDIODG.EXE 0x2ac
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
There are 2 hidden processes, click here to show them.
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
5d054d9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
304f8497
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
320ea4eb
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
8ab2c38e
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
f7ba8c04
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
4f06eb61
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
88f3e3f2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
7a993b2f
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Ymxempiiozk
|
5d054d9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
dbdf127f
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
ee40c231
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
ec01e24d
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
54bd8528
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
29b5caa2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
9109adc7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
56fca554
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
a4967d89
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
dbdf127f
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Rqqahuvpx
|
dbdf127f
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
990000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
E40000
|
system
|
page execute and read and write
|
|
|
|
4450000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
E40000
|
system
|
page execute and read and write
|
|
|
|
4430000
|
trusted library allocation
|
page read and write
|
|
|
|
12A0000
|
system
|
page execute and read and write
|
|
|
|
970000
|
system
|
page execute and read and write
|
|
|
|
590000
|
trusted library allocation
|
page read and write
|
|
|
|
2D60000
|
trusted library allocation
|
page read and write
|
|
|
|
2EE0000
|
trusted library allocation
|
page execute and read and write
|
|
|
|
970000
|
system
|
page execute and read and write
|
|
|
|
11B0B3E5000
|
heap
|
page read and write
|
||
|
206EA900000
|
heap
|
page read and write
|
||
|
34A0000
|
trusted library allocation
|
page read and write
|
||
|
22C0FC4F000
|
heap
|
page read and write
|
||
|
BF0000
|
unkown
|
page read and write
|
||
|
4CF0000
|
heap
|
page read and write
|
||
|
521F000
|
heap
|
page read and write
|
||
|
19D1D402000
|
trusted library allocation
|
page read and write
|
||
|
34A0000
|
trusted library allocation
|
page read and write
|
||
|
206EA760000
|
heap
|
page read and write
|
||
|
34A0000
|
trusted library allocation
|
page read and write
|
||
|
D8E000
|
stack
|
page read and write
|
||
|
FC0000
|
trusted library allocation
|
page read and write
|
||
|
5650000
|
trusted library allocation
|
page read and write
|
||
|
5650000
|
trusted library allocation
|
page read and write
|
||
|
1DA8839E000
|
heap
|
page read and write
|
||
|
21E51A4F000
|
heap
|
page read and write
|
||
|
1DA8838C000
|
heap
|
page read and write
|
||
|
22C0FC43000
|
heap
|
page read and write
|
||
|
5220000
|
heap
|
page read and write
|
||
|
176F23A0000
|
trusted library allocation
|
page read and write
|
||
|
21E51A57000
|
heap
|
page read and write
|
||
|
11B0BB22000
|
heap
|
page read and write
|
||
|
205CC240000
|
heap
|
page read and write
|
||
|
5650000
|
trusted library allocation
|
page read and write
|
||
|
534000
|
heap
|
page read and write
|
||
|
16B64E76000
|
heap
|
page read and write
|
||
|
96DCFE000
|
stack
|
page read and write
|
||
|
206EA7D0000
|
heap
|
page read and write
|
||
|
940000
|
unkown
|
page readonly
|
||
|
BD0000
|
unkown
|
page readonly
|
||
|
24ED47F0000
|
trusted library allocation
|
page read and write
|
||
|
93C000
|
stack
|
page read and write
|
||
|
1C5194D7000
|
heap
|
page read and write
|
||
|
22C0FC69000
|
heap
|
page read and write
|
||
|
2D84000
|
heap
|
page read and write
|
||
|
D4837E000
|
stack
|
page read and write
|
||
|
21E51B08000
|
heap
|
page read and write
|
||
|
1DA8837C000
|
heap
|
page read and write
|
||
|
176F0A70000
|
heap
|
page read and write
|