IOC Report
mPNVrHIpyt.exe

loading gif

Files

File Path
Type
Category
Malicious
mPNVrHIpyt.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\mPNVrHIpyt.exe
"C:\Users\user\Desktop\mPNVrHIpyt.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe
"C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
malicious
There are 7 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
unknown
malicious
http://ipv4bot.whatismyipaddress.com/r
unknown
http://ipv4bot.whatismyipaddress.com/0
unknown
http://ipv4bot.whatismyipaddress.com/6
unknown
http://ipv4bot.whatismyipaddress.com/5
unknown
http://ipv4bot.whatismyipaddress.com/u
unknown
http://ipv4bot.whatismyipaddress.com/T
unknown
http://ipv4bot.whatismyipaddress.com/3
unknown
http://ipv4bot.whatismyipaddress.com/S
unknown
http://ipv4bot.whatismyipaddress.com/)
unknown
http://ipv4bot.whatismyipaddress.com/pxV
unknown
http://ipv4bot.whatismyipaddress.com/.
unknown
http://ipv4bot.whatismyipaddress.com/K
unknown
http://ipv4bot.whatismyipaddress.com/a
unknown
http://ipv4bot.whatismyipaddress.com/E:
unknown
http://ipv4bot.whatismyipaddress.com/%
unknown
https://www.torproject.org/
unknown
http://ipv4bot.whatismyipaddress.com/Z
unknown
http://ipv4bot.whatismyipaddress.com/Y
unknown
http://ipv4bot.whatismyipaddress.com/
unknown
https://tox.chat/download.html
unknown
http://ipv4bot.whatismyipaddress.com/nxD
unknown
There are 12 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
ipv4bot.whatismyipaddress.com
unknown

IPs

IP
Domain
Country
Malicious
192.168.2.1
unknown
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
imsihyxywip
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
lwxsmttcgib
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
rbpjrvqzmfp
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
lldeowbcwli
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
mvsrloqetvq
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pkxyauwkvet
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
axlnhkgixlf
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
xjlfhrnjhfo
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ovikprhtlzq