IOC Report
W445hIpF47.exe

loading gif

Files

File Path
Type
Category
Malicious
W445hIpF47.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\W445hIpF47.exe
"C:\Users\user\Desktop\W445hIpF47.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe
"C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
malicious
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
unknown
malicious
https://www.torproject.org/
unknown
http://ipv4bot.whatismyipaddress.com/
unknown
http://ipv4bot.whatismyipaddress.com/75
unknown
https://tox.chat/download.html
unknown

Domains

Name
IP
Malicious
ipv4bot.whatismyipaddress.com
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
oikgjamwdag
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
vlujgxdarml
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
icyakbwwtkt
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
vcvvgrlytwo
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
fnwitigtrzg
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
jxyyakggfhw
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pufpoqlopxk
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
gwocugdvyyi
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ldtrmpohtby
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
fwyuhnnfppu
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
psmkjgiilgz
malicious
There are 1 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
FCE2000
unkown
page read and write
malicious
FCDA000
unkown
page readonly
malicious
FCE2000
unkown
page read and write
malicious
FCDA000
unkown
page readonly
malicious
36C0000
direct allocation
page read and write
malicious
FCDA000
unkown
page readonly
malicious
3990000
direct allocation
page read and write
malicious
FCDA000
unkown
page readonly
malicious
FCDA000
unkown
page readonly
malicious
3960000
direct allocation
page read and write
malicious
FCE2000
unkown
page read and write
malicious
FCDA000
unkown
page readonly
malicious
FCDA000
unkown
page readonly
malicious
FCDA000
unkown
page readonly
malicious
FCE2000
unkown
page read and write
malicious
FCDA000
unkown
page readonly
malicious
FCDA000
unkown
page readonly
malicious
3D60000
direct allocation
page read and write
malicious
3A10000
direct allocation
page read and write
malicious
FCDA000
unkown
page readonly
malicious
FCDA000
unkown
page readonly
malicious
3CA0000
direct allocation
page read and write
malicious
3240000
direct allocation
page read and write
malicious