IOC Report
mPNVrHIpyt.exe

loading gif

Files

File Path
Type
Category
Malicious
mPNVrHIpyt.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
 malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\mPNVrHIpyt.exe
"C:\Users\user\Desktop\mPNVrHIpyt.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
There are 7 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
unknown
 malicious
http://ipv4bot.whatismyipaddress.com/r
unknown
http://ipv4bot.whatismyipaddress.com/0
unknown
http://ipv4bot.whatismyipaddress.com/6
unknown
http://ipv4bot.whatismyipaddress.com/5
unknown
http://ipv4bot.whatismyipaddress.com/u
unknown
http://ipv4bot.whatismyipaddress.com/T
unknown
http://ipv4bot.whatismyipaddress.com/3
unknown
http://ipv4bot.whatismyipaddress.com/S
unknown
http://ipv4bot.whatismyipaddress.com/)
unknown
http://ipv4bot.whatismyipaddress.com/pxV
unknown
http://ipv4bot.whatismyipaddress.com/.
unknown
http://ipv4bot.whatismyipaddress.com/K
unknown
http://ipv4bot.whatismyipaddress.com/a
unknown
http://ipv4bot.whatismyipaddress.com/E:
unknown
http://ipv4bot.whatismyipaddress.com/%
unknown
https://www.torproject.org/
unknown
http://ipv4bot.whatismyipaddress.com/Z
unknown
http://ipv4bot.whatismyipaddress.com/Y
unknown
http://ipv4bot.whatismyipaddress.com/
unknown
https://tox.chat/download.html
unknown
http://ipv4bot.whatismyipaddress.com/nxD
unknown
There are 12 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
ipv4bot.whatismyipaddress.com
unknown

IPs

IP
Domain
Country
Malicious
192.168.2.1
unknown
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
imsihyxywip
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
lwxsmttcgib
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
rbpjrvqzmfp
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
lldeowbcwli
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
mvsrloqetvq
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pkxyauwkvet
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
axlnhkgixlf
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
xjlfhrnjhfo
 malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ovikprhtlzq