IOC Report

loading gif

Files

File Path
Type
Category
Malicious
nIQCsrVbbw.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_14c0c43b\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAA8.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Jan 15 03:15:40 2022, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB279.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB856.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF34C.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCB3.tmp.txt
data
modified
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61414 bytes, 1 file
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\edb.log
MPEG-4 LOAS
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xb577f95a, page size 16384, DirtyShutdown, Windows version 10.0
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_1858c648\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48CA.tmp.txt
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61B.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Jan 15 03:00:09 2022, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC85.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF45.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
dropped
clean
There are 11 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
malicious
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gwwrzypqggddo\faunqcxbnkzdy.fxb",DpwIzoKqIHOYx
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gwwrzypqggddo\faunqcxbnkzdy.fxb",DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN
malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7120 -ip 7120
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 512
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512
clean
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -p -s BITS
clean
There are 11 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz#
unknown
malicious
https://45.138.98.34/
unknown
malicious
https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz
unknown
malicious
https://www.disneyplus.com/legal/your-california-privacy-rights
unknown
clean
https://www.disneyplus.com/legal/privacy-policy
unknown
clean
https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc1
unknown
clean
https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc
unknown
clean
https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAcY
unknown
clean