IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
initial sample
malicious
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
modified
malicious
C:\Program Files (x86)\PrintFolders\Russian.dll (copy)
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\is-6QPAJ.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\is-JPR4D.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\unins000.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\is-2LA91.tmp\_iscrypt.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\is-2LA91.tmp\_isetup\_setup64.tmp
PE32+ executable (console) x86-64, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\CqxAaSZxg.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\Guide.chm (copy)
MS Windows HtmlHelp Data
dropped
C:\Program Files (x86)\PrintFolders\History.txt (copy)
ASCII text, with CRLF line terminators
dropped
C:\Program Files (x86)\PrintFolders\License.txt (copy)
RAGE Package Format (RPF),
dropped
C:\Program Files (x86)\PrintFolders\is-3PESN.tmp
data
dropped
C:\Program Files (x86)\PrintFolders\is-B2P4P.tmp
RAGE Package Format (RPF),
dropped
C:\Program Files (x86)\PrintFolders\is-D385T.tmp
ASCII text, with CRLF line terminators
dropped
C:\Program Files (x86)\PrintFolders\is-U4GGJ.tmp
MS Windows HtmlHelp Data
dropped
C:\Program Files (x86)\PrintFolders\unins000.dat
InnoSetup Log PrintFolders {73D78C7A-78F2-476F-86FF-9025EA410908}, version 0x2a, 3814 bytes, 992547\user, "C:\Program Files (x86)\PrintFolders"
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fuckingdllENCR[1].dll
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\count[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\library[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\library[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\ping[1].htm
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\is-2LA91.tmp\_isetup\_shfoldr.dll
PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
dropped
There are 14 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
malicious
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\CqxAaSZxg.exe
malicious
C:\Users\user\Desktop\file.exe
C:\Users\user\Desktop\file.exe
C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp
"C:\Users\user\AppData\Local\Temp\is-F6DC2.tmp\is-71GCF.tmp" /SL4 $30340 "C:\Users\user\Desktop\file.exe" 1077961 51712
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "PrintFolders.exe" /f

URLs

Name
IP
Malicious
http://171.22.30.106/library.phpV
unknown
malicious
http://171.22.30.106/library.php:
unknown
malicious
http://171.22.30.106/library.php~
unknown
malicious
http://171.22.30.106/library.phpB
unknown
malicious
http://171.22.30.106/library.phpjN
unknown
malicious
http://171.22.30.106/library.phpH
unknown
malicious
http://171.22.30.106/library.php&
unknown
malicious
http://171.22.30.106/library.phpj
unknown
malicious
http://171.22.30.106/library.php0
unknown
malicious
http://171.22.30.106/library.php
171.22.30.106
malicious
http://pfolders.atopoint.com.
unknown
http://www.innosetup.com/
unknown
http://pfolders.atopoint.com2
unknown
http://www.atopoint.com
unknown
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
45.139.105.171
http://107.182.129.235/storage/extension.php
107.182.129.235
http://www.remobjects.com/?ps
unknown
http://pfolders.atopoint.com
unknown
http://www.innosetup.com
unknown
http://107.182.129.235/storage/ping.php
107.182.129.235
http://www.atopoint.com.
unknown
http://www.innosetup.comDVarFileInfo$
unknown
http://www.remobjects.com/?psU
unknown
There are 13 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
45.139.105.1
unknown
Italy
malicious
85.31.46.167
unknown
Germany
malicious