IOC Report

loading gif

Files

File Path
Type
Category
Malicious
nIQCsrVbbw.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Network\Downloader\edb.log
MPEG-4 LOAS
dropped
 clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xb577f95a, page size 16384, DirtyShutdown, Windows version 10.0
dropped
 clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_1858c648\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmp.csv
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48CA.tmp.txt
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61B.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Jan 15 03:00:09 2022, 0x1205a4 type
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC85.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF45.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61414 bytes, 1 file
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
 clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
dropped
 clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
 clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
 clean
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
 malicious
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
 malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
 malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
 malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
 clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
 clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
 clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 clean
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
 clean
There are 8 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://www.disneyplus.com/legal/your-california-privacy-rights
unknown
 clean
http://crl.ver)
unknown
 clean
https://www.disneyplus.com/legal/privacy-policy
unknown
 clean
http://upx.sf.net
unknown
 clean
https://www.tiktok.com/legal/report/feedback
unknown
 clean
http://help.disneyplus.com.
unknown
 clean
https://disneyplus.com/legal.
unknown
 clean

IPs

IP
Domain
Country
Malicious
207.148.81.119
unknown
United States
malicious
104.131.62.48
unknown
United States
malicious
85.214.67.203
unknown
Germany
malicious
191.252.103.16
unknown
Brazil
malicious
168.197.250.14
unknown
Argentina
malicious
66.42.57.149
unknown
United States
malicious
185.148.168.15
unknown
Germany
malicious
51.210.242.234
unknown
France
malicious
217.182.143.207
unknown
France
malicious
69.16.218.101
unknown
United States
malicious
159.69.237.188
unknown
Germany
malicious
45.138.98.34
unknown
Germany
malicious
116.124.128.206
unknown
Korea Republic of
malicious
78.46.73.125
unknown
Germany
malicious
37.59.209.141
unknown
France
malicious