Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	753419
MD5:	3b97fd1136b9ed348734e5ea77aaa75a
SHA1:	fa3e9db1c2f462cf41d43487f0f73be6615876ba
SHA256:	dbcb891f6ed1d7aca11dd0263d68b3ce082d2e7eca152a098981307da9a6cc24
Tags:	exe
Infos:

Detection

Nymaim

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Nymaim

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Uses taskkill to terminate processes

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Creates a process in suspended mode (likely to inject code)

Classification

×

Process Tree

System is w10x64

file.exe (PID: 2144 cmdline: C:\Users\user\Desktop\file.exe MD5: 3B97FD1136B9ED348734E5EA77AAA75A)

is-8PA5U.tmp (PID: 244 cmdline: "C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp" /SL4 $4025C "C:\Users\user\Desktop\file.exe" 1079207 51712 MD5: 85B94E72C3F2D2B5464E2AAF3C9E242A)

PrintFolders.exe (PID: 2344 cmdline: "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" MD5: 988A479E180E7899959663226C9AAC1B)

1mWX2l.exe (PID: 4668 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)

cmd.exe (PID: 6128 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 3172 cmdline: taskkill /im "PrintFolders.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.381983447.00000000030D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.381766513.0000000003070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.380785981.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.PrintFolders.exe.3070000.2.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.PrintFolders.exe.3070000.2.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.PrintFolders.exe.400000.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.PrintFolders.exe.400000.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://171.22.30.106/library.php

URL Reputation: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe

ReversingLabs: Detection: 46%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Joe Sandbox ML: detected

Source: 2.2.PrintFolders.exe.10000000.6.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.3.file.exe.20e8000.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 2.2.PrintFolders.exe.400000.1.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_10001000 ISCryptGetVersion,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_10001130 ArcFourCrypt,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-NSDTB.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00451554 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0048A778 FindFirstFileA,6D7369D0,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00423E2D FindFirstFileExW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000959D FindFirstFileExW,

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.139.105.1
Source: Malware configuration extractor	IPs: 85.31.46.167
Source: Malware configuration extractor	IPs: 107.182.129.235
Source: Malware configuration extractor	IPs: 171.22.30.106

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.139.105.171 45.139.105.171

Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235

Source: file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000003.382742741.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.383315513.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000003.298079912.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pfolders.atopoint.com
Source: file.exe, 00000000.00000003.383704565.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pfolders.atopoint.com.
Source: is-8PA5U.tmp, 00000001.00000003.382742741.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.383315513.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pfolders.atopoint.comZ
Source: file.exe, 00000000.00000003.296748024.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.383704565.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000003.298079912.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.atopoint.com
Source: file.exe, 00000000.00000003.383704565.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.atopoint.com.
Source: is-8PA5U.tmp, 00000001.00000003.382742741.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.383315513.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.atopoint.comJ
Source: file.exe	String found in binary or memory: http://www.innosetup.com
Source: is-8PA5U.tmp, is-8PA5U.tmp, 00000001.00000002.382985437.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000000.297615237.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, is-8PA5U.tmp, 00000001.00000002.382985437.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.382985437.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?psU

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: global traffic	HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: is-8PA5U.tmp, 00000001.00000002.383264343.00000000006EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 2.2.PrintFolders.exe.3070000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.3070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.381983447.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.381766513.0000000003070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.380785981.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004081C8
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00468940
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00460F30
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0043DF70
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004303A4
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0047A6D8
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004446E8
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00434994
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045AA90
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00480BDC
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00444C90
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00462F38
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00445388
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00435698
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00445794
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0042F948
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00457BB4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004056A0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00406800
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00406AA0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404D40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00405F40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00402F20
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004150D3
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00415305
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004223A9
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00419510
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404840
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00426850
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00410A50
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0042AB9A
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00421C88
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0042ACBA
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00447D2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00428D39
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404F20
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000F670
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000EC61

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: String function: 0040F9E0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00403548 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00407B08 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00445FF4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00455A04 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00405AA4 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00455814 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 004462C4 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 004348AC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00451AFC appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: String function: 00408DF0 appears 42 times

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00423D9C NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004127F0 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004551C4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,

Source: is-8PA5U.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-8PA5U.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-8PA5U.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-GLBR6.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-GLBR6.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-GLBR6.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-NSDTB.tmp.1.dr

Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000000.296347435.0000000000410000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename" vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62

Source: PrintFolders.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp "C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp" /SL4 $4025C "C:\Users\user\Desktop\file.exe" 1079207 51712
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe "C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp "C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp" /SL4 $4025C "C:\Users\user\Desktop\file.exe" 1079207 51712
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe "C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DBC4E70,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DBC4E70,

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "PrintFolders.exe")

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@12/23@0/5

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Code function: 1_2_00454498 GetModuleHandleA,6D735550,GetDiskFreeSpaceA,

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Code function: 1_2_0040B1E0 FindResourceA,FreeResource,

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

File created: C:\Program Files (x86)\PrintFolders

Jump to behavior

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: `a}{
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: MFE.
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: ZK]Z
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: ZK]Z

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1315223 > 1048576

Source:

Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-NSDTB.tmp.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.rgw89:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406584 push 004065C1h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404159 push eax; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404229 push 00404435h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042AA push 00404435h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408B24 push 00408B57h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404327 push 00404435h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040438C push 00404435h; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00409B70 push 00409BADh; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040A257 push ds; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00478210 push 004782BBh; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040A22B push ds; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00412B40 push 00412BA3h; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00450FF8 push 0045102Bh; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004055BD push eax; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040568D push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040570E push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004057F0 push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040578B push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004311AD push esi; ret
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040F4BB push ecx; ret

Source: PrintFolders.exe.1.dr

Static PE information: section name: .rgw89

Source: initial sample

Static PE information: section name: .text entropy: 7.279657042494806

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Program Files (x86)\PrintFolders\is-NSDTB.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp			Jump to dropped file
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Program Files (x86)\PrintFolders\is-GLBR6.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	File created: C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004243AC IsIconic,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004177B0 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00417EE6 IsIconic,SetWindowPos,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-NSDTB.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-GLBR6.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004095D0 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00451554 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0048A778 FindFirstFileA,6D7369D0,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00423E2D FindFirstFileExW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000959D FindFirstFileExW,

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\

Source: file.exe	Binary or memory string: VmCiN^
Source: PrintFolders.exe, 00000002.00000002.382395945.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h]

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040F789 SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Code function: 1_2_004593E4 GetVersion,GetModuleHandleA,6D735550,6D735550,6D735550,AllocateAndInitializeSid,LocalFree,

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	Code function: GetLocaleInfoA,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_0040F7F3 cpuid

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Code function: 1_2_00455B2C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D735CA0,SetNamedPipeHandleState,6DBC7180,CloseHandle,CloseHandle,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CB0 GetVersionExA,

Source: C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Code function: 1_2_00453A24 GetUserNameA,

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 2.2.PrintFolders.exe.3070000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.3070000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.381983447.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.381766513.0000000003070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.380785981.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	2 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	11 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	23 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\PrintFolders\PrintFolders.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\PrintFolders\Russian.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PrintFolders\is-GLBR6.tmp	2%	ReversingLabs
C:\Program Files (x86)\PrintFolders\is-NSDTB.tmp	0%	ReversingLabs
C:\Program Files (x86)\PrintFolders\unins000.exe (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_iscrypt.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_shfoldr.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp	4%	ReversingLabs
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe	46%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.PrintFolders.exe.10000000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File
1.2.is-8PA5U.tmp.400000.0.unpack	100%	Avira	HEUR/AGEN.1232832		Download File
2.2.PrintFolders.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
0.3.file.exe.20e8000.4.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
0.2.file.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1248792		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	0%	URL Reputation	safe
http://107.182.129.235/storage/extension.php	0%	URL Reputation	safe
http://www.remobjects.com/?ps	0%	URL Reputation	safe
http://www.innosetup.com	0%	URL Reputation	safe
http://107.182.129.235/storage/ping.php	0%	URL Reputation	safe
http://171.22.30.106/library.php	100%	URL Reputation	malware
http://www.remobjects.com/?psU	0%	URL Reputation	safe
http://pfolders.atopoint.comZ	0%	Avira URL Cloud	safe
http://www.atopoint.com	0%	Virustotal		Browse
http://www.atopoint.com	0%	Avira URL Cloud	safe
http://www.atopoint.com.	0%	Avira URL Cloud	safe
http://pfolders.atopoint.com	0%	Avira URL Cloud	safe
http://pfolders.atopoint.com.	0%	Avira URL Cloud	safe
http://www.innosetup.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://www.atopoint.comJ	0%	Avira URL Cloud	safe
http://www.atopoint.com.	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	false	URL Reputation: safe	unknown
http://107.182.129.235/storage/extension.php	true	URL Reputation: safe	unknown
http://107.182.129.235/storage/ping.php	true	URL Reputation: safe	unknown
http://171.22.30.106/library.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pfolders.atopoint.com.	file.exe, 00000000.00000003.383704565.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	is-8PA5U.tmp, is-8PA5U.tmp, 00000001.00000002.382985437.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.atopoint.com	file.exe, 00000000.00000003.296748024.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.383704565.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000003.298079912.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pfolders.atopoint.comZ	is-8PA5U.tmp, 00000001.00000003.382742741.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.383315513.000000000073C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/?ps	file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, is-8PA5U.tmp, 00000001.00000002.382985437.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	false	URL Reputation: safe	unknown
http://pfolders.atopoint.com	file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000003.382742741.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.383315513.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000003.298079912.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com	file.exe	false	URL Reputation: safe	unknown
http://www.atopoint.com.	file.exe, 00000000.00000003.383704565.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.296783879.00000000020E1000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.innosetup.comDVarFileInfo$	file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000000.297615237.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	false	Avira URL Cloud: safe	low
http://www.atopoint.comJ	is-8PA5U.tmp, 00000001.00000003.382742741.000000000073C000.00000004.00000020.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.383315513.000000000073C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/?psU	file.exe, 00000000.00000003.296912247.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.297046595.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, is-8PA5U.tmp, 00000001.00000002.382985437.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-GLBR6.tmp.1.dr, is-8PA5U.tmp.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.139.105.171	unknown	Italy		33657	CMCSUS	false
45.139.105.1	unknown	Italy		33657	CMCSUS	true
85.31.46.167	unknown	Germany		43659	CLOUDCOMPUTINGDE	true
107.182.129.235	unknown	Reserved		11070	META-ASUS	true
171.22.30.106	unknown	Germany		33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753419
Start date and time:	2022-11-24 19:47:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@12/23@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 38.3% (good quality ratio 37.2%) Quality average: 80.8% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
TCP Packets have been reduced to 100
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:48:07	API Interceptor	1x Sleep call for process: 1mWX2l.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\PrintFolders\Guide.chm (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	118869
Entropy (8bit):	7.933172616287708
Encrypted:	false
SSDEEP:	1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
MD5:	204A5BF160646F9A55ED70AB6E1A07A6
SHA1:	5404AB219FA01C270ADC36303D447109503C4A4D
SHA-256:	CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
SHA-512:	6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........

C:\Program Files (x86)\PrintFolders\History.txt (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5403
Entropy (8bit):	4.918324842676727
Encrypted:	false
SSDEEP:	96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
MD5:	C8B211D81EB7D4F9EBB071A117444D51
SHA1:	43BF57BB0931EBED953FE17F937C1C7FF58A027C
SHA-256:	AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
SHA-512:	C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	=====================.. History of Releases..=====================....Legend..------..[+] - added..[] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[] Faster processing of large numbers of files..[*] Folders containing no files acc

C:\Program Files (x86)\PrintFolders\License.txt (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	3391
Entropy (8bit):	4.812121234949207
Encrypted:	false
SSDEEP:	96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
MD5:	A5E8094B0CBADE929AEE07F5DA5E9429
SHA1:	60BB56A380CD9126AC067AE39B262E28A22532CD
SHA-256:	F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
SHA-512:	018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
Malicious:	false
Preview:	PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a

C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	1785853
Entropy (8bit):	5.942323714155969
Encrypted:	false
SSDEEP:	24576:6+68+Hj+x+D9+k+F+rsu+Y+VHbB2gqthjMt7qKwgevCVtLBpvLFs:T0H6xfdkrcxZ+tFMt7sv4ZW
MD5:	988A479E180E7899959663226C9AAC1B
SHA1:	17D641877924F5C55E3E4D310CA7DFE45C175F7D
SHA-256:	5B026DFAEA2B8A837CDBC90FD42E5951E6AB4B75A7E1937EFCE2265611E11276
SHA-512:	E494EBB7B7E3EC5EBC5960E98A46AB7863B1A7CDC7300E50F2C85563610F30BE60CC3667F148D760017009D96D018BC7002F8C6DE64AF105D7E1F698DC3267DE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..c..........'.................0.............@..........................@..............................................4........0...c...........................................................................................................text............................... ..`.rdata..n........ ..................@..@.data...@...........................@....tls......... ....... ..............@....rsrc....p...0...p...0..............@..@.rgw89..............................`...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\Russian.dll (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.508743257769972
Encrypted:	false
SSDEEP:	192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
MD5:	4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA1:	F8F094064D107384E619DED1139932AA38476272
SHA-256:	A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
SHA-512:	5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-36EDD.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	118869
Entropy (8bit):	7.933172616287708
Encrypted:	false
SSDEEP:	1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
MD5:	204A5BF160646F9A55ED70AB6E1A07A6
SHA1:	5404AB219FA01C270ADC36303D447109503C4A4D
SHA-256:	CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
SHA-512:	6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
Malicious:	false
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........

C:\Program Files (x86)\PrintFolders\is-9NS73.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	data
Category:	dropped
Size (bytes):	1785853
Entropy (8bit):	5.942322646015392
Encrypted:	false
SSDEEP:	24576:R+68+Hj+x+D9+k+F+rsu+Y+VHbB2gqthjMt7qKwgevCVtLBpvLFs:A0H6xfdkrcxZ+tFMt7sv4ZW
MD5:	24DBF089638D212A0988EE71792025E8
SHA1:	6E62F67E5476060B2171526A8458A80525F21F94
SHA-256:	B4264A3B330A97C5BC9D419ABF9515966D3397017DF074A5BA08A7BF72A61687
SHA-512:	282A3A3DFA5B86D5FA50376024915F194B143A3F51415B713A335BEB74F8220A5B912E126C4B1E462F599B25069423F1BA836EB628452C0414D12E1FEE6E22AA
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..c..........'.................0.............@..........................@..............................................4........0...c...........................................................................................................text............................... ..`.rdata..n........ ..................@..@.data...@...........................@....tls......... ....... ..............@....rsrc....p...0...p...0..............@..@.rgw89..............................`...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-EPDSE.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	3391
Entropy (8bit):	4.812121234949207
Encrypted:	false
SSDEEP:	96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
MD5:	A5E8094B0CBADE929AEE07F5DA5E9429
SHA1:	60BB56A380CD9126AC067AE39B262E28A22532CD
SHA-256:	F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
SHA-512:	018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
Malicious:	false
Preview:	PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a

C:\Program Files (x86)\PrintFolders\is-GLBR6.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	669450
Entropy (8bit):	6.478399502986981
Encrypted:	false
SSDEEP:	12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx
MD5:	CF680B53729F6E3059183D51F91D337D
SHA1:	4D6EB765BB4837F09283101490375DF5F68C8E37
SHA-256:	A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D
SHA-512:	1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................d......t.............@..............................................@..............................$%......P+...................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...P+.......,..................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-GVS6M.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5403
Entropy (8bit):	4.918324842676727
Encrypted:	false
SSDEEP:	96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
MD5:	C8B211D81EB7D4F9EBB071A117444D51
SHA1:	43BF57BB0931EBED953FE17F937C1C7FF58A027C
SHA-256:	AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
SHA-512:	C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
Malicious:	false
Preview:	=====================.. History of Releases..=====================....Legend..------..[+] - added..[] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[] Faster processing of large numbers of files..[*] Folders containing no files acc

C:\Program Files (x86)\PrintFolders\is-NSDTB.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.508743257769972
Encrypted:	false
SSDEEP:	192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
MD5:	4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA1:	F8F094064D107384E619DED1139932AA38476272
SHA-256:	A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
SHA-512:	5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\unins000.dat

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	InnoSetup Log PrintFolders {73D78C7A-78F2-476F-86FF-9025EA410908}, version 0x2a, 3813 bytes, 040965\user, "C:\Program Files (x86)\PrintFolders"
Category:	dropped
Size (bytes):	3813
Entropy (8bit):	4.502801686145839
Encrypted:	false
SSDEEP:	48:wGITyMHLBv8iD86plmE6FoIN0hqkLVO3471qV/LDa0zA47brL1XLjt:fUrp8iD86p45oIyhqYOIh0Nft
MD5:	5B3F2721E0A66E1839F68D766D4CA56A
SHA1:	3A0C94379344A2224A9E5FA5B23400D3BCB4D921
SHA-256:	9F088E172E91E763423A1E153AD9C74E1739A70AB5DD0E04B0DBDA97D867C9A6
SHA-512:	95D531100020CEA7DC8C0A12CD544865D6119CAA42296C9B76BEA24175431C97E7179019C0E5C68D1779C55FBA2127660CC776BB2BA1C1065D5994309DDC78B9
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{73D78C7A-78F2-476F-86FF-9025EA410908}}.........................................................................................PrintFolders....................................................................................................................*...........%.................................................................................................................<........rv.a......C....040965.user#C:\Program Files (x86)\PrintFolders...........0...... ..........Q.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMet

C:\Program Files (x86)\PrintFolders\unins000.exe (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	669450
Entropy (8bit):	6.478399502986981
Encrypted:	false
SSDEEP:	12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx
MD5:	CF680B53729F6E3059183D51F91D337D
SHA1:	4D6EB765BB4837F09283101490375DF5F68C8E37
SHA-256:	A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D
SHA-512:	1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................d......t.............@..............................................@..............................$%......P+...................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...P+.......,..................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\count[1].htm

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fuckingdllENCR[1].dll

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	data
Category:	dropped
Size (bytes):	94224
Entropy (8bit):	7.998072640845361
Encrypted:	true
SSDEEP:	1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
MD5:	418619EA97671304AF80EC60F5A50B62
SHA1:	F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
SHA-256:	EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
SHA-512:	F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
Malicious:	false
Preview:	...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.\|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..\|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=\|....'....[1.~.YB:./...A`...=..F..K...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\library[1].htm

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ping[1].htm

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.1751231351134614
Encrypted:	false
SSDEEP:	3:nCmxEl:Cmc
MD5:	064DB2A4C3D31A4DC6AA2538F3FE7377
SHA1:	8F877AE1873C88076D854425221E352CA4178DFA
SHA-256:	0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
SHA-512:	CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
Malicious:	false
Preview:	UwUoooIIrwgh24uuU

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\library[1].htm

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_iscrypt.dll

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_setup64.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.226829458093667
Encrypted:	false
SSDEEP:	48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
MD5:	9E5BA8A0DB2AE3A955BEE397534D535D
SHA1:	EF08EF5FAC94F42C276E64765759F8BC71BF88CB
SHA-256:	08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
SHA-512:	229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_shfoldr.dll

Process:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	658944
Entropy (8bit):	6.468629759056718
Encrypted:	false
SSDEEP:	12288:Oh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxO0:05NoqWolrP837JzHvA6yknyWFxvJxO0
MD5:	85B94E72C3F2D2B5464E2AAF3C9E242A
SHA1:	CE7CCAE5F50A990D059D59292D4A332979E162BA
SHA-256:	1441464FEEEF365573AF18802C464769B7D3107624FDE24604F57E386F97F1A7
SHA-512:	C0C27189989DB482BE9BDA5B6B8B1441BDC5E9B0F3A414CCAB4C4BE516E7F99E25717845361A5B196114502FAAAF21BEC7ACA91B497ACD2E2396F49C31850880
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................d......t.............@..............................................@..............................$%......P+...................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...P+.......,..................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.20389308045717
Encrypted:	false
SSDEEP:	1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
MD5:	3FB36CB0B7172E5298D2992D42984D06
SHA1:	439827777DF4A337CBB9FA4A4640D0D3FA1738B7
SHA-256:	27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
SHA-512:	6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
Entropy (8bit):	7.988937012959573
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1315223
MD5:	3b97fd1136b9ed348734e5ea77aaa75a
SHA1:	fa3e9db1c2f462cf41d43487f0f73be6615876ba
SHA256:	dbcb891f6ed1d7aca11dd0263d68b3ce082d2e7eca152a098981307da9a6cc24
SHA512:	3df7d8cc58d848a5b7d7e13feb8bb052cb23f6128f748c21164ae03e925e7efe7d81e2cc22fdfae2f5b3f91a230d5f0582c16939bf9451776aa69a50b9dcb6bf
SSDEEP:	24576:tiz5xUo9TmhntrEQ5NYa3MH7vfLtduGvvAu1CT7gZIY7eCLxYi3:GMiKbZ5SHuQxMgNeVi3
TLSH:	EB553303CED5A434E4F18DB32C6A106859BC7D1239B16072E17D9EE85D1BB89BD2E32D
File Content Preview:	MZP.....................@.......................Innoo...................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General

Entrypoint:	0x40968c
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	da86ff6d22d7419ae7f10724a403dffd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFD4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-1Ch], eax
call 00007F4F0CCE9C5Fh
call 00007F4F0CCEAF0Ah
call 00007F4F0CCED0FDh
call 00007F4F0CCED144h
call 00007F4F0CCEF693h
call 00007F4F0CCEF782h
mov esi, 0040BDE0h
xor eax, eax
push ebp
push 00409D71h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00409D27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040B014h]
call 00007F4F0CCF010Fh
call 00007F4F0CCEFCCEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F4F0CCED5B8h
mov edx, dword ptr [ebp-10h]
mov eax, 0040BDD4h
call 00007F4F0CCE9D0Bh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040BDD4h]
mov dl, 01h
mov eax, 004070C4h
call 00007F4F0CCEDC1Bh
mov dword ptr [0040BDD8h], eax
xor edx, edx
push ebp
push 00409D05h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
lea edx, dword ptr [ebp-18h]
mov eax, dword ptr [0040BDD8h]
call 00007F4F0CCEDCF3h
mov ebx, dword ptr [ebp-18h]
mov edx, 00000030h
mov eax, dword ptr [0040BDD8h]
call 00007F4F0CCEDE2Dh
mov edx, esi
mov ecx, 0000000Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc000	0x8c8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x263c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x8e00	0x8e00	False	0.6218364876760564	data	6.600437911517656	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xa000	0x248	0x400	False	0.3115234375	data	2.7204325510923035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xb000	0xe64	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc000	0x8c8	0xa00	False	0.389453125	data	4.2507970587946735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xe000	0x18	0x200	False	0.052734375	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf000	0x86c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x263c	0x2800	False	0.322265625	data	4.568719834340923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1030c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States
RT_ICON	0x10434	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States
RT_ICON	0x1099c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_ICON	0x10c84	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States
RT_STRING	0x1152c	0x2f2	data
RT_STRING	0x11820	0x30c	data
RT_STRING	0x11b2c	0x2ce	data
RT_STRING	0x11dfc	0x68	data
RT_STRING	0x11e64	0xb4	data
RT_STRING	0x11f18	0xae	data
RT_GROUP_ICON	0x11fc8	0x3e	data	English	United States
RT_VERSION	0x12008	0x3a8	data	English	United States
RT_MANIFEST	0x123b0	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 19:48:08.845411062 CET	49695	80	192.168.2.4	45.139.105.171
Nov 24, 2022 19:48:08.872612953 CET	80	49695	45.139.105.171	192.168.2.4
Nov 24, 2022 19:48:08.872729063 CET	49695	80	192.168.2.4	45.139.105.171
Nov 24, 2022 19:48:08.873241901 CET	49695	80	192.168.2.4	45.139.105.171
Nov 24, 2022 19:48:08.901078939 CET	80	49695	45.139.105.171	192.168.2.4
Nov 24, 2022 19:48:08.906027079 CET	80	49695	45.139.105.171	192.168.2.4
Nov 24, 2022 19:48:08.906120062 CET	49695	80	192.168.2.4	45.139.105.171
Nov 24, 2022 19:48:08.952500105 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:08.980077982 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:08.980241060 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:08.980861902 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.008341074 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.008464098 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.008567095 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.039063931 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.066371918 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.066755056 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.066803932 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.066845894 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.066903114 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.066903114 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.066903114 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.066922903 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.066966057 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.066988945 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.067008972 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.067040920 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.067050934 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.067066908 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.067095041 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.067109108 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.067137957 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.067181110 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.067195892 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.067259073 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.094621897 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094691038 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094738007 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094780922 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094821930 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094830036 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.094830990 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.094866037 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094914913 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.094937086 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.094944000 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.094988108 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.095006943 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.095030069 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.095033884 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.095074892 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.095083952 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.095130920 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123045921 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123111010 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123155117 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123194933 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123235941 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123246908 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123246908 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123281002 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123302937 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123326063 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123344898 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123368025 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123387098 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123410940 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123424053 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123452902 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123467922 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123495102 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.123506069 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.123547077 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151106119 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151173115 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151259899 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151293993 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151293993 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151305914 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151349068 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151355028 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151355028 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151391983 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151417971 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151433945 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151444912 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151477098 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151489019 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151520014 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151531935 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151562929 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151580095 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151604891 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.151627064 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.151657104 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.179450035 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.179513931 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.179558992 CET	80	49696	107.182.129.235	192.168.2.4
Nov 24, 2022 19:48:09.179627895 CET	49696	80	192.168.2.4	107.182.129.235
Nov 24, 2022 19:48:09.179680109 CET	80	49696	107.182.129.235	192.168.2.4

HTTP Request Dependency Graph

45.139.105.171

107.182.129.235

171.22.30.106

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 2144, Parent PID: 3528

General

Target ID:	0
Start time:	19:48:01
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	1315223 bytes
MD5 hash:	3B97FD1136B9ED348734E5EA77AAA75A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: is-8PA5U.tmpPID: 244, Parent PID: 2144

General

Target ID:	1
Start time:	19:48:01
Start date:	24/11/2022
Path:	C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp" /SL4 $4025C "C:\Users\user\Desktop\file.exe" 1079207 51712
Imagebase:	0x400000
File size:	658944 bytes
MD5 hash:	85B94E72C3F2D2B5464E2AAF3C9E242A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate

Analysis Process: PrintFolders.exePID: 2344, Parent PID: 244

General

Target ID:	2
Start time:	19:48:04
Start date:	24/11/2022
Path:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Imagebase:	0x400000
File size:	1785853 bytes
MD5 hash:	988A479E180E7899959663226C9AAC1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.381983447.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.381766513.0000000003070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.380785981.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 1mWX2l.exePID: 4668, Parent PID: 2344

General

Target ID:	3
Start time:	19:48:07
Start date:	24/11/2022
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe
Wow64 process (32bit):	true
Commandline:
Imagebase:	0x850000
File size:	73728 bytes
MD5 hash:	3FB36CB0B7172E5298D2992D42984D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 46%, ReversingLabs
Reputation:	high

Analysis Process: cmd.exePID: 6128, Parent PID: 2344

General

Target ID:	4
Start time:	19:48:40
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 1688, Parent PID: 6128

General

Target ID:	5
Start time:	19:48:40
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exePID: 3172, Parent PID: 6128

General

Target ID:	6
Start time:	19:48:41
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "PrintFolders.exe" /f
Imagebase:	0x310000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly