File name:

file

Full analysis: https://app.any.run/tasks/5cde136d-cee2-4d19-ac88-02afb7a9ce4e
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Analysis date: December 05, 2022, 21:34:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
stealer
vidar
amadey
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

68425436636D032FABA7FE3E0A4ECE91

SHA1:

E7CCCF49A9EE8C0E922482FC1C9B99B197575F41

SHA256:

D0BE3792565AAE8BC68BD3AB3847B5D44298EB94EE6A09A7AF2C62305EBA3A78

SSDEEP:

98304:Q+FWIWSdmDCk4h3dDCdh64mVWYZr8xpb7zr/KtG/VaucY/B:fFWIWHvPdh64+QN3r/KuaucY/B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Application was dropped or rewritten from another process

      • xhbyVNTTPYfvh.exe (PID: 2640)
      • iH0VCB.exe (PID: 3788)
      • CpxFvK.exe (PID: 1988)
      • gntuud.exe (PID: 3800)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 476)
      • gntuud.exe (PID: 2172)
    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 3200)
    • Steals credentials from Web Browsers

      • iH0VCB.exe (PID: 3788)
    • VIDAR was detected

      • iH0VCB.exe (PID: 3788)
    • Loads dropped or rewritten executable

      • iH0VCB.exe (PID: 3788)
      • rundll32.exe (PID: 3320)
    • Changes the autorun value in the registry

      • gntuud.exe (PID: 3800)
    • Changes the Startup folder

      • gntuud.exe (PID: 3800)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2920)
    • Uses Task Scheduler to run other applications

      • gntuud.exe (PID: 3800)
    • Connects to the CnC server

      • gntuud.exe (PID: 3800)
    • AMADEY was detected

      • gntuud.exe (PID: 3800)
  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • is-5A496.tmp (PID: 2240)
    • Executable content was dropped or overwritten

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 3200)
    • Creates a directory in Program Files

      • is-5A496.tmp (PID: 2240)
    • Reads the Internet Settings

      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
    • Connects to the server without a host name

      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Reads security settings of Internet Explorer

      • iH0VCB.exe (PID: 3788)
    • Checks Windows Trust Settings

      • iH0VCB.exe (PID: 3788)
    • Reads settings of System Certificates

      • iH0VCB.exe (PID: 3788)
    • Reads browser cookies

      • iH0VCB.exe (PID: 3788)
    • Searches for installed software

      • iH0VCB.exe (PID: 3788)
    • Starts CMD.EXE for self-deleting

      • iH0VCB.exe (PID: 3788)
    • Starts CMD.EXE for commands execution

      • iH0VCB.exe (PID: 3788)
      • PrintFolders.exe (PID: 3200)
    • Starts itself from another location

      • VbuRgjs49.exe (PID: 2288)
    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 2452)
    • Executes via Task Scheduler

      • gntuud.exe (PID: 476)
      • gntuud.exe (PID: 2172)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2452)
    • Uses RUNDLL32.EXE to load library

      • gntuud.exe (PID: 3800)
    • Process requests binary or script from the Internet

      • gntuud.exe (PID: 3800)
    • Drops a file with too old compile date

      • gntuud.exe (PID: 3800)
  • INFO

    • Checks supported languages

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • file.exe (PID: 2676)
      • iH0VCB.exe (PID: 3788)
      • xhbyVNTTPYfvh.exe (PID: 2640)
      • CpxFvK.exe (PID: 1988)
      • gntuud.exe (PID: 3800)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 476)
      • gntuud.exe (PID: 2172)
    • Reads the computer name

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
    • Creates a file in a temporary directory

      • is-5A496.tmp (PID: 2240)
      • file.exe (PID: 2676)
      • VbuRgjs49.exe (PID: 2288)
      • gntuud.exe (PID: 3800)
    • Loads dropped or rewritten executable

      • is-5A496.tmp (PID: 2240)
    • Application was dropped or rewritten from another process

      • is-5A496.tmp (PID: 2240)
    • Creates files in the program directory

      • is-5A496.tmp (PID: 2240)
      • iH0VCB.exe (PID: 3788)
    • Drops a file that was compiled in debug mode

      • is-5A496.tmp (PID: 2240)
      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
    • Creates a software uninstall entry

      • is-5A496.tmp (PID: 2240)
    • Checks proxy server information

      • PrintFolders.exe (PID: 3200)
      • iH0VCB.exe (PID: 3788)
      • gntuud.exe (PID: 3800)
    • Reads product name

      • iH0VCB.exe (PID: 3788)
    • Reads the CPU's name

      • iH0VCB.exe (PID: 3788)
    • Reads CPU info

      • iH0VCB.exe (PID: 3788)
    • Reads Environment values

      • iH0VCB.exe (PID: 3788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName:
FileDescription: PrintFolders Setup
FileVersion:
InternalName:
OriginalFilename:
ProductName:
ProductVersion:

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
167124
167424
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.27927

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.39383
1128
Latin 1 / Western European
English - United States
RT_ICON
2
5.94971
2440
Latin 1 / Western European
English - United States
RT_ICON
3
5.5357
4264
Latin 1 / Western European
English - United States
RT_ICON
4
5.48577
9640
Latin 1 / Western European
English - United States
RT_ICON
5
5.25469
16936
Latin 1 / Western European
English - United States
RT_ICON
6
5.46372
21640
Latin 1 / Western European
English - United States
RT_ICON
7
5.3545
38056
Latin 1 / Western European
English - United States
RT_ICON
8
4.90318
67624
Latin 1 / Western European
English - United States
RT_ICON
4089
3.21823
754
Latin 1 / Western European
UNKNOWN
RT_STRING
4090
3.31515
780
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
17
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start file.exe no specs file.exe is-5a496.tmp #GCLEANER printfolders.exe xhbyvnttpyfvh.exe no specs #VIDAR ih0vcb.exe cpxfvk.exe cmd.exe no specs timeout.exe no specs vburgjs49.exe no specs #AMADEY gntuud.exe schtasks.exe no specs cmd.exe no specs taskkill.exe no specs gntuud.exe no specs rundll32.exe gntuud.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1968"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
2676"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2240"C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3604422 208896 C:\Users\admin\AppData\Local\Temp\is-168FA.tmp\is-5A496.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-168fa.tmp\is-5a496.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3200"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-5A496.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.100
Modules
Images
c:\program files\printfolders\printfolders.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2640 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyVNTTPYfvh.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\xhbyvnttpyfvh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3788"C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe"C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\scxoqb\ih0vcb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
1988"C:\Users\admin\AppData\Roaming\5wj7z\CpxFvK.exe"C:\Users\admin\AppData\Roaming\5wj7z\CpxFvK.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\5wj7z\cpxfvk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3156"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Roaming\sCXOqB\iH0VCB.exe" & exitC:\Windows\System32\cmd.exeiH0VCB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3240timeout /t 6 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2288"C:\Users\admin\AppData\Roaming\9AIDp5ZPMO\VbuRgjs49.exe"C:\Users\admin\AppData\Roaming\9AIDp5ZPMO\VbuRgjs49.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\9aidp5zpmo\vburgjs49.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
9 084
Read events
8 971
Write events
111
Delete events
2

Modification events

(PID) Process:(2240) is-5A496.tmpKey:HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.100
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(2240) is-5A496.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
25
Suspicious files
10
Text files
7
Unknown types
14

Dropped files

PID
Process
Filename
Type
2240is-5A496.tmpC:\Program Files\PrintFolders\is-QKN25.tmp
MD5:
SHA256:
2240is-5A496.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
2240is-5A496.tmpC:\Program Files\PrintFolders\Guide.chmchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
2240is-5A496.tmpC:\Program Files\PrintFolders\is-OEAPR.tmptext
MD5:C8B211D81EB7D4F9EBB071A117444D51
SHA256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
2240is-5A496.tmpC:\Users\admin\AppData\Local\Temp\is-UMSMN.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2240is-5A496.tmpC:\Program Files\PrintFolders\is-H1O9F.tmpchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
2240is-5A496.tmpC:\Program Files\PrintFolders\unins000.datdat
MD5:EF6AB9378BD76B936156D5CA46FB834E
SHA256:4842E479CE38E1A0B0134F5F4E931D1FE061040E999BC01BEF84064D6B473D06
3200PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htmtext
MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
2240is-5A496.tmpC:\Program Files\PrintFolders\is-6QND6.tmpexecutable
MD5:4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA256:A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
2240is-5A496.tmpC:\Program Files\PrintFolders\is-RVMIF.tmpexecutable
MD5:BCD1868E95254F9531A7FF38461C0D72
SHA256:63E895DEBEB29559931040AC4603720233B36C285C9D3F1BAA5A57AC58821A2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
12
DNS requests
3
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3200
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
386 Kb
suspicious
3200
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
3.78 Mb
suspicious
3200
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
suspicious
3200
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
suspicious
3200
PrintFolders.exe
GET
200
45.139.105.171:80
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
BG
binary
1 b
unknown
3788
iH0VCB.exe
GET
200
67.27.158.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?152da92c4ef394c2
US
compressed
4.70 Kb
whitelisted
3788
iH0VCB.exe
GET
200
195.201.250.87:80
http://195.201.250.87/update.zip
DE
compressed
3.47 Mb
malicious
3788
iH0VCB.exe
GET
200
195.201.250.87:80
http://195.201.250.87/1787
DE
text
110 b
malicious
3200
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
615 Kb
suspicious
3788
iH0VCB.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D
US
der
1.74 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3200
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
suspicious
3200
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
suspicious
3200
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
unknown
3788
iH0VCB.exe
67.27.158.126:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
3788
iH0VCB.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
3788
iH0VCB.exe
192.124.249.22:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
3320
rundll32.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3800
gntuud.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3788
iH0VCB.exe
195.201.250.87:80
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 67.27.158.126
  • 67.27.157.126
  • 8.253.207.120
  • 8.248.135.254
  • 8.253.204.120
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.23
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
whitelisted

Threats

PID
Process
Class
Message
3200
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3200
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3200
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3200
PrintFolders.exe
Misc activity
ET INFO Packed Executable Download
3200
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3200
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3788
iH0VCB.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
3788
iH0VCB.exe
A Network Trojan was detected
ET TROJAN Arkei/Vidar/Mars Stealer Variant
3200
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3200
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2 ETPRO signatures available at the full report
No debug info