IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
initial sample
malicious
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
modified
malicious
C:\Program Files (x86)\PrintFolders\Russian.dll (copy)
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\is-GLBR6.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\is-NSDTB.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\unins000.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_iscrypt.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_setup64.tmp
PE32+ executable (console) x86-64, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Program Files (x86)\PrintFolders\Guide.chm (copy)
MS Windows HtmlHelp Data
dropped
C:\Program Files (x86)\PrintFolders\History.txt (copy)
ASCII text, with CRLF line terminators
dropped
C:\Program Files (x86)\PrintFolders\License.txt (copy)
RAGE Package Format (RPF),
dropped
C:\Program Files (x86)\PrintFolders\is-36EDD.tmp
MS Windows HtmlHelp Data
dropped
C:\Program Files (x86)\PrintFolders\is-9NS73.tmp
data
dropped
C:\Program Files (x86)\PrintFolders\is-EPDSE.tmp
RAGE Package Format (RPF),
dropped
C:\Program Files (x86)\PrintFolders\is-GVS6M.tmp
ASCII text, with CRLF line terminators
dropped
C:\Program Files (x86)\PrintFolders\unins000.dat
InnoSetup Log PrintFolders {73D78C7A-78F2-476F-86FF-9025EA410908}, version 0x2a, 3813 bytes, 040965\user, "C:\Program Files (x86)\PrintFolders"
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\count[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fuckingdllENCR[1].dll
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\library[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ping[1].htm
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\library[1].htm
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\is-258FQ.tmp\_isetup\_shfoldr.dll
PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
dropped
There are 14 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\PrintFolders\PrintFolders.exe
"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
malicious
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\1mWX2l.exe
malicious
C:\Users\user\Desktop\file.exe
C:\Users\user\Desktop\file.exe
C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp
"C:\Users\user\AppData\Local\Temp\is-OJDTA.tmp\is-8PA5U.tmp" /SL4 $4025C "C:\Users\user\Desktop\file.exe" 1079207 51712
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "PrintFolders.exe" /f

URLs

Name
IP
Malicious
http://107.182.129.235/storage/extension.php
107.182.129.235
malicious
http://107.182.129.235/storage/ping.php
107.182.129.235
malicious
http://171.22.30.106/library.php
171.22.30.106
malicious
http://pfolders.atopoint.com.
unknown
http://www.innosetup.com/
unknown
http://www.atopoint.com
unknown
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
45.139.105.171
http://pfolders.atopoint.comZ
unknown
http://www.remobjects.com/?ps
unknown
http://pfolders.atopoint.com
unknown
http://www.innosetup.com
unknown
http://www.atopoint.com.
unknown
http://www.innosetup.comDVarFileInfo$
unknown
http://www.atopoint.comJ
unknown
http://www.remobjects.com/?psU
unknown
There are 5 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
45.139.105.1
unknown
Italy
malicious
85.31.46.167
unknown
Germany
malicious
107.182.129.235
unknown
Reserved
malicious
171.22.30.106
unknown
Germany
malicious
45.139.105.171
unknown
Italy

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Atopoint Software\PrintFolders
Language
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
Inno Setup: Setup Version
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
Inno Setup: App Path
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
Inno Setup: Icon Group
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
Inno Setup: User
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{73D78C7A-78F2-476F-86FF-9025EA410908}}_is1
DisplayIcon