IOC Report

loading gif

Files

File Path
Type
Category
Malicious
7MhGa3iotM.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61414 bytes, 1 file
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001@` (copy)
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001C8 (copy)
data
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
modified
clean

Processes

Path
Cmdline
Malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1
malicious
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\user\Desktop\7MhGa3iotM.dll
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\7MhGa3iotM.dll,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll",DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgiezrb\edgitxrppqaf.tym",JFlwYpDQ
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kgiezrb\edgitxrppqaf.tym",DllRegisterServer
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\SgrmBroker.exe
C:\Windows\system32\SgrmBroker.exe
clean
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\7MhGa3iotM.dll"
clean
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
There are 8 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://www.disneyplus.com/legal/your-california-privacy-rights
unknown
clean
http://crl.ver)
unknown
clean
https://www.disneyplus.com/legal/privacy-policy
unknown
clean
https://www.tiktok.com/legal/report/feedback
unknown
clean
http://help.disneyplus.com.
unknown
clean
https://disneyplus.com/legal.
unknown
clean

Domains

Name
IP
Malicious
windowsupdate.s.llnwi.net
41.63.96.128
clean

IPs

IP
Domain
Country
Malicious
207.148.81.119
unknown
United States
malicious
104.131.62.48
unknown
United States
malicious
85.214.67.203
unknown
Germany
malicious
191.252.103.16
unknown
Brazil
malicious
168.197.250.14
unknown
Argentina
malicious
66.42.57.149
unknown
United States
malicious
185.148.168.15
unknown
Germany
malicious
51.210.242.234
unknown
France
malicious
217.182.143.207
unknown
France
malicious
69.16.218.101
unknown
United States
malicious
159.69.237.188
unknown
Germany
malicious
45.138.98.34
unknown
Germany
malicious
116.124.128.206
unknown
Korea Republic of
malicious
78.46.73.125
unknown
Germany
malicious
37.59.209.141
unknown
France
malicious
210.57.209.142
unknown
Indonesia
malicious
185.148.168.220
unknown
Germany
malicious
54.37.228.122
unknown
France
malicious
190.90.233.66
unknown
Colombia
malicious
142.4.219.173
unknown
Canada
malicious
54.38.242.185
unknown
France
malicious
195.154.146.35
unknown
France
malicious
195.77.239.39
unknown
Spain
malicious