IOC Report
wThN5MTIsw.exe

loading gif

Files

File Path
Type
Category
Malicious
wThN5MTIsw.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\wThN5MTIsw.exe
"C:\Users\user\Desktop\wThN5MTIsw.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe
"C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
malicious
There are 11 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
unknown
malicious
http://ipv4bot.whatismyipaddress.com/2
unknown
http://ipv4bot.whatismyipaddress.com/5
unknown
http://ipv4bot.whatismyipaddress.com/S
unknown
http://ipv4bot.whatismyipaddress.com/)
unknown
http://ipv4bot.whatismyipaddress.com/I
unknown
http://ipv4bot.whatismyipaddress.com/QL
unknown
http://ipv4bot.whatismyipaddress.com/g
unknown
http://ipv4bot.whatismyipaddress.com/I;
unknown
http://ipv4bot.whatismyipaddress.com/&
unknown
https://www.torproject.org/
unknown
http://ipv4bot.whatismyipaddress.com/G%b
unknown
http://ipv4bot.whatismyipaddress.com/x
unknown
http://ipv4bot.whatismyipaddress.com/
unknown
https://tox.chat/download.html
unknown
There are 5 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
ipv4bot.whatismyipaddress.com
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
qxcdehgjaib
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ocipuxittak
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
trtwjkdvbrs
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ftylkauykkg
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
biktigczvpq
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
rjjumyjxpew
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ypcrxwqpxuk
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
qtytdguwutr
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
hdwqlmoiwuh
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
hedsypabrrz
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
oprgxbvjexb
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
vlllmsigvhf
malicious