File name:

file

Full analysis: https://app.any.run/tasks/f2d0d82e-6102-4eda-bee4-56b89e0d4f67
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Analysis date: December 06, 2022, 00:09:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
stealer
vidar
amadey
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

0D075C0A31D92DE7F67FD3CC10526E89

SHA1:

261D82DECD3192CDD675E2E027C5D4436572A5F1

SHA256:

EC3190BEE8B37B12A46AEB60C273F3D1397D2E739FAB71AA2A24D03FFA3EFBAC

SSDEEP:

98304:wOa+3ngx1WUVTgKbOTMIkSvnnWl/nNmGRdcwb/sgoN2c4FrNppy2LcY/f:NaEngv1f4MQnn+/4GMwD3oNx4pNLcY/f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-CD75O.tmp (PID: 468)
      • Ddyol.exe (PID: 3680)
      • PrintFolders.exe (PID: 3004)
      • gntuud.exe (PID: 2716)
    • Application was dropped or rewritten from another process

      • vOEdAhiYZXN.exe (PID: 2852)
      • Ddyol.exe (PID: 3680)
      • AvXVi6G.exe (PID: 2984)
      • Dsr7Js4o.exe (PID: 664)
      • gntuud.exe (PID: 2716)
      • gntuud.exe (PID: 2056)
      • gntuud.exe (PID: 2148)
    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 3004)
    • Steals credentials from Web Browsers

      • Ddyol.exe (PID: 3680)
    • VIDAR was detected

      • Ddyol.exe (PID: 3680)
    • Loads dropped or rewritten executable

      • Ddyol.exe (PID: 3680)
      • rundll32.exe (PID: 3656)
    • Changes the Startup folder

      • gntuud.exe (PID: 2716)
    • Uses Task Scheduler to run other applications

      • gntuud.exe (PID: 2716)
    • Changes the autorun value in the registry

      • gntuud.exe (PID: 2716)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2920)
    • AMADEY was detected

      • gntuud.exe (PID: 2716)
    • Connects to the CnC server

      • rundll32.exe (PID: 3656)
  • SUSPICIOUS

    • Reads the Internet Settings

      • PrintFolders.exe (PID: 3004)
      • Ddyol.exe (PID: 3680)
      • Dsr7Js4o.exe (PID: 664)
      • gntuud.exe (PID: 2716)
    • Drops a file with too old compile date

      • is-CD75O.tmp (PID: 468)
      • gntuud.exe (PID: 2716)
    • Creates a directory in Program Files

      • is-CD75O.tmp (PID: 468)
    • Executable content was dropped or overwritten

      • is-CD75O.tmp (PID: 468)
      • Ddyol.exe (PID: 3680)
      • PrintFolders.exe (PID: 3004)
      • gntuud.exe (PID: 2716)
    • Reads the Windows owner or organization settings

      • is-CD75O.tmp (PID: 468)
    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 3004)
    • Connects to the server without a host name

      • Ddyol.exe (PID: 3680)
      • PrintFolders.exe (PID: 3004)
      • gntuud.exe (PID: 2716)
      • rundll32.exe (PID: 3656)
    • Checks Windows Trust Settings

      • Ddyol.exe (PID: 3680)
    • Reads security settings of Internet Explorer

      • Ddyol.exe (PID: 3680)
    • Reads browser cookies

      • Ddyol.exe (PID: 3680)
    • Reads settings of System Certificates

      • Ddyol.exe (PID: 3680)
    • Searches for installed software

      • Ddyol.exe (PID: 3680)
    • Starts CMD.EXE for self-deleting

      • Ddyol.exe (PID: 3680)
    • Starts CMD.EXE for commands execution

      • Ddyol.exe (PID: 3680)
      • PrintFolders.exe (PID: 3004)
    • Starts itself from another location

      • Dsr7Js4o.exe (PID: 664)
    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 3996)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3996)
    • Executes via Task Scheduler

      • gntuud.exe (PID: 2056)
      • gntuud.exe (PID: 2148)
    • Uses RUNDLL32.EXE to load library

      • gntuud.exe (PID: 2716)
    • Process requests binary or script from the Internet

      • gntuud.exe (PID: 2716)
  • INFO

    • Checks proxy server information

      • PrintFolders.exe (PID: 3004)
      • Ddyol.exe (PID: 3680)
      • gntuud.exe (PID: 2716)
    • Checks supported languages

      • file.exe (PID: 3544)
      • is-CD75O.tmp (PID: 468)
      • PrintFolders.exe (PID: 3004)
      • vOEdAhiYZXN.exe (PID: 2852)
      • Ddyol.exe (PID: 3680)
      • AvXVi6G.exe (PID: 2984)
      • Dsr7Js4o.exe (PID: 664)
      • gntuud.exe (PID: 2716)
      • gntuud.exe (PID: 2056)
      • gntuud.exe (PID: 2148)
    • Reads the computer name

      • is-CD75O.tmp (PID: 468)
      • PrintFolders.exe (PID: 3004)
      • Ddyol.exe (PID: 3680)
      • Dsr7Js4o.exe (PID: 664)
      • gntuud.exe (PID: 2716)
    • Creates a file in a temporary directory

      • is-CD75O.tmp (PID: 468)
      • file.exe (PID: 3544)
      • Dsr7Js4o.exe (PID: 664)
      • gntuud.exe (PID: 2716)
    • Drops a file that was compiled in debug mode

      • is-CD75O.tmp (PID: 468)
      • Ddyol.exe (PID: 3680)
      • PrintFolders.exe (PID: 3004)
    • Creates a software uninstall entry

      • is-CD75O.tmp (PID: 468)
    • Creates files in the program directory

      • is-CD75O.tmp (PID: 468)
      • Ddyol.exe (PID: 3680)
    • Loads dropped or rewritten executable

      • is-CD75O.tmp (PID: 468)
    • Application was dropped or rewritten from another process

      • is-CD75O.tmp (PID: 468)
    • Reads Environment values

      • Ddyol.exe (PID: 3680)
    • Reads CPU info

      • Ddyol.exe (PID: 3680)
    • Reads the CPU's name

      • Ddyol.exe (PID: 3680)
    • Reads product name

      • Ddyol.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName:
FileDescription: PrintFolders Setup
FileVersion:
InternalName:
OriginalFilename:
ProductName:
ProductVersion:

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
167124
167424
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.27927

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.39383
1128
Latin 1 / Western European
English - United States
RT_ICON
2
5.94971
2440
Latin 1 / Western European
English - United States
RT_ICON
3
5.5357
4264
Latin 1 / Western European
English - United States
RT_ICON
4
5.48577
9640
Latin 1 / Western European
English - United States
RT_ICON
5
5.25469
16936
Latin 1 / Western European
English - United States
RT_ICON
6
5.46372
21640
Latin 1 / Western European
English - United States
RT_ICON
7
5.3545
38056
Latin 1 / Western European
English - United States
RT_ICON
8
4.90318
67624
Latin 1 / Western European
English - United States
RT_ICON
4089
3.21823
754
Latin 1 / Western European
UNKNOWN
RT_STRING
4090
3.31515
780
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
17
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start file.exe no specs file.exe is-cd75o.tmp #GCLEANER printfolders.exe voedahiyzxn.exe no specs #VIDAR ddyol.exe avxvi6g.exe cmd.exe no specs timeout.exe no specs dsr7js4o.exe no specs #AMADEY gntuud.exe schtasks.exe no specs cmd.exe no specs taskkill.exe no specs gntuud.exe no specs rundll32.exe gntuud.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
3544"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
468"C:\Users\admin\AppData\Local\Temp\is-OOKJL.tmp\is-CD75O.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3759280 208896 C:\Users\admin\AppData\Local\Temp\is-OOKJL.tmp\is-CD75O.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\is-ookjl.tmp\is-cd75o.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3004"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-CD75O.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.100
Modules
Images
c:\program files\printfolders\printfolders.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2852 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\vOEdAhiYZXN.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\voedahiyzxn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
3680"C:\Users\admin\AppData\Roaming\3dsmBNRu\Ddyol.exe"C:\Users\admin\AppData\Roaming\3dsmBNRu\Ddyol.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\3dsmbnru\ddyol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2984"C:\Users\admin\AppData\Roaming\d0gMfzJK94\AvXVi6G.exe"C:\Users\admin\AppData\Roaming\d0gMfzJK94\AvXVi6G.exe
PrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\d0gmfzjk94\avxvi6g.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3928"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\admin\AppData\Roaming\3dsmBNRu\Ddyol.exe" & exitC:\Windows\System32\cmd.exeDdyol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\apphelp.dll
2064timeout /t 6 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
664"C:\Users\admin\AppData\Roaming\hjFSUTgu\Dsr7Js4o.exe"C:\Users\admin\AppData\Roaming\hjFSUTgu\Dsr7Js4o.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\hjfsutgu\dsr7js4o.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
Total events
9 085
Read events
8 972
Write events
111
Delete events
2

Modification events

(PID) Process:(468) is-CD75O.tmpKey:HKEY_CURRENT_USER\Software\Atzpoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.100
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(468) is-CD75O.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2483D7A-78F2-476F-86FF-6B2EA9310854}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
25
Suspicious files
10
Text files
7
Unknown types
14

Dropped files

PID
Process
Filename
Type
468is-CD75O.tmpC:\Program Files\PrintFolders\is-AAI4B.tmp
MD5:
SHA256:
468is-CD75O.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
3544file.exeC:\Users\admin\AppData\Local\Temp\is-OOKJL.tmp\is-CD75O.tmpexecutable
MD5:10C841B0221D6870DE7C951EAF5B1DA9
SHA256:4252858D9C6D8D55F829D7E418EA8357FD26FBDF8C0FCE1FED23A8C720A8807E
3004PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htmtext
MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
468is-CD75O.tmpC:\Program Files\PrintFolders\License.txttext
MD5:A5E8094B0CBADE929AEE07F5DA5E9429
SHA256:F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
3004PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fuckingdllENCR[1].dllbinary
MD5:418619EA97671304AF80EC60F5A50B62
SHA256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
3004PrintFolders.exeC:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\vOEdAhiYZXN.exeexecutable
MD5:3FB36CB0B7172E5298D2992D42984D06
SHA256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
468is-CD75O.tmpC:\Program Files\PrintFolders\Guide.chmchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
3004PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\count[1].htmbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
468is-CD75O.tmpC:\Users\admin\AppData\Local\Temp\is-LDCQR.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
12
DNS requests
3
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3004
PrintFolders.exe
GET
200
45.139.105.171:80
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
BG
binary
1 b
unknown
3004
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
3.78 Mb
suspicious
3004
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
suspicious
3004
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
386 Kb
suspicious
3004
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
suspicious
3680
Ddyol.exe
GET
200
8.241.9.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eddc7b0fdb42a6c9
US
compressed
4.70 Kb
whitelisted
3680
Ddyol.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2716
gntuud.exe
POST
200
77.73.133.72:80
http://77.73.133.72/hfk3vK9/index.php?scr=1
KZ
malicious
3004
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
executable
260 Kb
suspicious
3680
Ddyol.exe
GET
200
195.201.250.87:80
http://195.201.250.87/update.zip
DE
compressed
3.47 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3680
Ddyol.exe
192.124.249.24:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
3004
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
unknown
3680
Ddyol.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
3004
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
suspicious
3656
rundll32.exe
77.73.133.72:80
Partner LLC
KZ
malicious
2716
gntuud.exe
77.73.133.72:80
Partner LLC
KZ
malicious
3004
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
suspicious
3680
Ddyol.exe
195.201.250.87:80
Hetzner Online GmbH
DE
malicious
3680
Ddyol.exe
8.241.9.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 8.241.9.254
  • 8.248.141.254
  • 8.253.207.121
  • 8.248.133.254
  • 8.248.143.254
whitelisted
ocsp.godaddy.com
  • 192.124.249.24
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.23
  • 192.124.249.22
whitelisted

Threats

PID
Process
Class
Message
3004
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3004
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3004
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3680
Ddyol.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
3004
PrintFolders.exe
Misc activity
ET INFO Packed Executable Download
3004
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3004
PrintFolders.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3680
Ddyol.exe
A Network Trojan was detected
ET TROJAN Arkei/Vidar/Mars Stealer Variant
3004
PrintFolders.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3004
PrintFolders.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2 ETPRO signatures available at the full report
No debug info