Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Eclipse IO Library 9.27.43\Eclipse IO Library 9.27.43.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
modified
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-N5JHT.tmp
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-REN2E.tmp
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-UG21C.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\libeay32.dll (copy)
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\libssl-1_1.dll (copy)
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\ssleay32.dll (copy)
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\is-GKUSE.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.exe (copy)
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_iscrypt.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\ProgramData\ec927it43.dat
|
ISO-8859 text, with no line terminators
|
dropped
|
||
|
C:\ProgramData\ec927rc43.dat
|
data
|
dropped
|
||
|
C:\ProgramData\ec927resa.dat
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\ProgramData\ec927resb.dat
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\Qt5OpenGL.dll (copy)
|
PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-3CJHL.tmp
|
PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-8SV2U.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-RDVP8.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\is-T0OEI.tmp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\msvcp71.dll (copy)
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\msvcr71.dll (copy)
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Gerda Play3 SE\uninstall\unins000.dat
|
InnoSetup Log Gerda Play3 SE, version 0x30, 4476 bytes, 767668\user, "C:\Users\user\AppData\Local\Gerda Play3 SE"
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_setup64.tmp
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\is-BCORL.tmp\_isetup\_shfoldr.dll
|
PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
|
dropped
|
There are 17 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe
|
"C:\Users\user\AppData\Local\Gerda Play3 SE\gerdaplay3se.exe" -i
|
|
|
|
C:\Users\user\Desktop\file.exe
|
"C:\Users\user\Desktop\file.exe"
|
||
|
C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp
|
"C:\Users\user\AppData\Local\Temp\is-CJFRT.tmp\file.tmp" /SL5="$20434,3031792,56832,C:\Users\user\Desktop\file.exe"
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://ceyqbgr.net/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c440db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608cf815c5ee949b32
|
185.208.158.248
|
|
|
|
http://ceyqbgr.net/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948344815a8bbc896c58e713bc90c91936b5281fc235a925ed3e5dd6bd974a95129070b413e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ed929e3ecc6e971f
|
185.208.158.248
|
|
|
|
ceyqbgr.net
|
|
||
|
http://www.innosetup.com/
|
unknown
|
||
|
https://sectigo.com/CPS0
|
unknown
|
||
|
http://repository.certum.pl/ctnca.cer09
|
unknown
|
||
|
http://repository.certum.pl/cscasha2.cer0
|
unknown
|
||
|
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
|
unknown
|
||
|
http://ocsp.sectigo.com0
|
unknown
|
||
|
http://crl.certum.pl/ctnca.crl0k
|
unknown
|
||
|
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
|
unknown
|
||
|
http://ocsp.thawte.com0
|
unknown
|
||
|
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
|
unknown
|
||
|
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
|
unknown
|
||
|
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
|
unknown
|
||
|
https://www.certum.pl/CPS0
|
unknown
|
||
|
http://crl.certum.pl/cscasha2.crl0q
|
unknown
|
||
|
http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86ec948
|
unknown
|
||
|
http://cscasha2.ocsp-certum.com04
|
unknown
|
||
|
http://www.openssl.org/support/faq.html
|
unknown
|
||
|
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
|
unknown
|
||
|
http://www.remobjects.com/psU
|
unknown
|
||
|
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
|
unknown
|
||
|
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
|
http://185.208.158.248/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
|
unknown
|
||
|
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
|
unknown
|
||
|
http://subca.ocsp-certum.com01
|
unknown
|
||
|
https://www.openssl.org/H
|
unknown
|
||
|
http://www.remobjects.com/ps
|
unknown
|
||
|
http://www.openssl.org/f
|
unknown
|
||
|
http://www.certum.pl/CPS0
|
unknown
|
There are 21 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ceyqbgr.net
|
185.208.158.248
|
|
|
|
18.31.95.13.in-addr.arpa
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.208.158.248
|
ceyqbgr.net
|
Switzerland
|
|
|
|
89.105.201.183
|
unknown
|
Netherlands
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
RegFiles0000
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
RegFilesHash
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
Inno Setup: Setup Version
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
Inno Setup: App Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
InstallLocation
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
Inno Setup: Icon Group
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
Inno Setup: User
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
Inno Setup: Language
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
DisplayName
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
UninstallString
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
QuietUninstallString
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
NoModify
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
NoRepair
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
InstallDate
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gerda Play3 SE_is1
|
EstimatedSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LargeTour
|
eclipse_io_library_i43_10
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2721000
|
heap
|
page read and write
|
|
|
|
2D61000
|
direct allocation
|
page execute and read and write
|
|
|
|
57D1000
|
heap
|
page read and write
|
||
|
632000
|
unkown
|
page write copy
|
||
|
20D0000
|
direct allocation
|
page read and write
|
||
|
2D9A000
|
direct allocation
|
page execute and read and write
|
||
|
2520000
|
heap
|
page read and write
|
||
|
2152000
|
direct allocation
|
page read and write
|
||
|
540000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
4AC000
|
unkown
|
page readonly
|
||
|
5B4B000
|
direct allocation
|
page read and write
|
||
|
23D0000
|
direct allocation
|
page read and write
|
||
|
2120000
|
direct allocation
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
5DA000
|
heap
|
page read and write
|
||
|
329E000
|
stack
|
page read and write
|
||
|
798000
|
heap
|
page read and write
|
||
|
604000
|
heap
|
page read and write
|
||
|
5A6000
|
unkown
|
page execute and write copy
|
||
|
2310000
|
direct allocation
|
page read and write
|
||
|
35DF000
|
stack
|
page read and write
|
||
|
49A000
|
unkown
|
page write copy
|
||
|
30F0000
|
heap
|
page read and write
|
||
|
2544000
|
heap
|
page read and write
|
||
|
8E0000
|
direct allocation
|
page read and write
|
||
|
738000
|
heap
|
page read and write
|
||
|
2127000
|
direct allocation
|
page read and write
|
||
|
365A000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2810000
|
heap
|
page read and write
|
||
|
49A000
|
unkown
|
page read and write
|
||
|
10000000
|
unkown
|
page readonly
|
||
|
62C000
|
unkown
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
9B000
|
stack
|
page read and write
|
||
|
5750000
|
heap
|
page read and write
|
||
|
3722000
|
heap
|
page read and write
|
||
|
10001000
|
unkown
|
page execute read
|
||
|
655000
|
unkown
|
page readonly
|
||
|
20E1000
|
direct allocation
|
page read and write
|
||
|
2260000
|
heap
|
page read and write
|
||
|
27B0000
|
trusted library allocation
|
page read and write
|
||
|
2220000
|
direct allocation
|
page execute and read and write
|
||
|
5B6A000
|
direct allocation
|
page read and write
|
||
|
550000
|
heap
|
page read and write
|
||
|
2138000
|
direct allocation
|
page read and write
|
||
|
315E000
|
stack
|
page read and write
|
||
|
411000
|
unkown
|
page readonly
|
||
|
5A4000
|
unkown
|
page execute and write copy
|
||
|
420000
|
heap
|
page read and write
|
||
|
5AB8000
|
direct allocation
|
page read and write
|
||
|
58E0000
|
direct allocation
|
page read and write
|
||
|
5B12000
|
direct allocation
|
page read and write
|
||
|
2128000
|
direct allocation
|
page read and write
|
||
|
2C5D000
|
stack
|
page read and write
|
||
|
26FE000
|
stack
|
page read and write
|
||
|
22D0000
|
direct allocation
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
339F000
|
stack
|
page read and write
|
||
|
588000
|
heap
|
page read and write
|
||
|
212C000
|
direct allocation
|
page read and write
|
||
|
2561000
|
heap
|
page read and write
|
||
|
2650000
|
direct allocation
|
page read and write
|
||
|
238E000
|
stack
|
page read and write
|
||
|
58D0000
|
direct allocation
|
page read and write
|
||
|
660000
|
unkown
|
page readonly
|
||
|
5BF8000
|
direct allocation
|
page read and write
|
||
|
790000
|
heap
|
page read and write
|
||
|
66E000
|
unkown
|
page readonly
|
||
|
636000
|
unkown
|
page readonly
|
||
|
31FE000
|
stack
|
page read and write
|
||
|
27FC000
|
stack
|
page read and write
|
||
|
560000
|
heap
|
page read and write
|
||
|
866000
|
heap
|
page read and write
|
||
|
49E000
|
unkown
|
page write copy
|
||
|
2540000
|
heap
|
page read and write
|
||
|
19D000
|
stack
|
page read and write
|
||
|
325F000
|
stack
|
page read and write
|
||
|
5E7000
|
heap
|
page read and write
|
||
|
36A9000
|
heap
|
page read and write
|
||
|
19C000
|
stack
|
page read and write
|
||
|
40B000
|
unkown
|
page read and write
|
||
|
6A7000
|
heap
|
page read and write
|
||
|
2250000
|
heap
|
page read and write
|
||
|
65E000
|
unkown
|
page readonly
|
||
|
36A1000
|
heap
|
page read and write
|
||
|
18D000
|
stack
|
page read and write
|
||
|
37A7000
|
heap
|
page read and write
|
||
|
6D0000
|
heap
|
page read and write
|
||
|
6A0000
|
heap
|
page read and write
|
||
|
304F000
|
stack
|
page read and write
|
||
|
5750000
|
heap
|
page read and write
|
||
|
5B5D000
|
direct allocation
|
page read and write
|
||
|
68D000
|
unkown
|
page readonly
|
||
|
8D0000
|
heap
|
page read and write
|
||
|
2747000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
5B0C000
|
direct allocation
|
page read and write
|
||
|
30F0000
|
direct allocation
|
page read and write
|
||
|
26D0000
|
heap
|
page read and write
|
||
|
30F0000
|
direct allocation
|
page read and write
|
||
|
36E0000
|
heap
|
page read and write
|
||
|
720000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
2F4E000
|
stack
|
page read and write
|
||
|
5A8000
|
unkown
|
page execute and write copy
|
||
|
401000
|
unkown
|
page execute and write copy
|
||
|
216E000
|
direct allocation
|
page read and write
|
||
|
5D1000
|
heap
|
page read and write
|
||
|
71B000
|
unkown
|
page readonly
|
||
|
2390000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page execute and read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
5F2000
|
heap
|
page read and write
|
||
|
32FE000
|
stack
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
22D0000
|
heap
|
page read and write
|
||
|
580000
|
heap
|
page read and write
|
||
|
5E0000
|
heap
|
page read and write
|
||
|
2150000
|
direct allocation
|
page read and write
|
||
|
5A88000
|
direct allocation
|
page read and write
|
||
|
20E1000
|
direct allocation
|
page read and write
|
||
|
910000
|
heap
|
page read and write
|
||
|
890000
|
heap
|
page read and write
|
||
|
349F000
|
stack
|
page read and write
|
||
|
22D9000
|
heap
|
page read and write
|
||
|
8B0000
|
direct allocation
|
page read and write
|
||
|
5A86000
|
direct allocation
|
page read and write
|
||
|
57D0000
|
heap
|
page read and write
|
||
|
20D4000
|
direct allocation
|
page read and write
|
||
|
40D000
|
unkown
|
page write copy
|
||
|
83F000
|
heap
|
page read and write
|
||
|
411000
|
unkown
|
page readonly
|
||
|
8C2000
|
direct allocation
|
page read and write
|
||
|
31AF000
|
stack
|
page read and write
|
||
|
2310000
|
direct allocation
|
page read and write
|
||
|
20E8000
|
direct allocation
|
page read and write
|
||
|
5B3B000
|
direct allocation
|
page read and write
|
||
|
23E0000
|
heap
|
page read and write
|
||
|
49C000
|
unkown
|
page read and write
|
||
|
915000
|
heap
|
page read and write
|
||
|
96000
|
stack
|
page read and write
|
||
|
845000
|
heap
|
page read and write
|
||
|
88C000
|
heap
|
page read and write
|
||
|
770000
|
heap
|
page read and write
|
||
|
5A84000
|
direct allocation
|
page read and write
|
||
|
5750000
|
heap
|
page read and write
|
||
|
35E8000
|
heap
|
page read and write
|
||
|
197000
|
stack
|
page read and write
|
||
|
680000
|
unkown
|
page readonly
|
||
|
6A5000
|
heap
|
page read and write
|
||
|
5D8000
|
unkown
|
page execute and write copy
|
||
|
34DE000
|
stack
|
page read and write
|
||
|
5B3D000
|
direct allocation
|
page read and write
|
||
|
49B000
|
unkown
|
page write copy
|
||
|
2710000
|
heap
|
page read and write
|
||
|
5D5000
|
heap
|
page read and write
|
||
|
9C000
|
stack
|
page read and write
|
||
|
884000
|
heap
|
page read and write
|
||
|
24A9000
|
direct allocation
|
page read and write
|
||
|
23D0000
|
direct allocation
|
page read and write
|
||
|
630000
|
heap
|
page read and write
|
||
|
272F000
|
heap
|
page read and write
|
||
|
630000
|
unkown
|
page write copy
|
||
|
30AE000
|
stack
|
page read and write
|
||
|
2198000
|
direct allocation
|
page read and write
|
||
|
4AC000
|
unkown
|
page readonly
|
||
|
4C0000
|
heap
|
page read and write
|
||
|
8C0000
|
direct allocation
|
page read and write
|
||
|
2D5F000
|
stack
|
page read and write
|
||
|
2138000
|
direct allocation
|
page read and write
|
||
|
409000
|
unkown
|
page execute and read and write
|
||
|
339E000
|
stack
|
page read and write
|
||
|
730000
|
heap
|
page read and write
|
||
|
22D5000
|
heap
|
page read and write
|
||
|
23E4000
|
heap
|
page read and write
|
||
|
10002000
|
unkown
|
page readonly
|
||
|
40B000
|
unkown
|
page write copy
|
||
|
3614000
|
heap
|
page read and write
|
||
|
2F0B000
|
stack
|
page read and write
|
||
|
8A0000
|
direct allocation
|
page read and write
|
||
|
5750000
|
heap
|
page read and write
|
||
|
5B32000
|
direct allocation
|
page read and write
|
||
|
5CB000
|
heap
|
page read and write
|
||
|
56D0000
|
trusted library allocation
|
page read and write
|
||
|
24A0000
|
direct allocation
|
page read and write
|
There are 177 hidden memdumps, click here to show them.