IOC Report

Files

File Path

Type

Category

Malicious

nIQCsrVbbw.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

initial sample

download

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_14c0c43b\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAA8.tmp.dmp

Mini DuMP crash report, 15 streams, Sat Jan 15 03:15:40 2022, 0x1205a4 type

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB279.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB856.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF34C.tmp.csv

data

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCB3.tmp.txt

data

modified

download

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, 61414 bytes, 1 file

dropped

download

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

modified

download

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

download

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

MS Windows registry file, NT/2000 or above

dropped

download

C:\ProgramData\Microsoft\Network\Downloader\edb.log

MPEG-4 LOAS

dropped

download

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Extensible storage engine DataBase, version 0x620, checksum 0xb577f95a, page size 16384, DirtyShutdown, Windows version 10.0

dropped

download

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

data

dropped

download

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_1858c648\Report.wer

Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E1.tmp.csv

data

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WER48CA.tmp.txt

data

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61B.tmp.dmp

Mini DuMP crash report, 15 streams, Sat Jan 15 03:00:09 2022, 0x1205a4 type

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC85.tmp.WERInternalMetadata.xml

XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

dropped

download

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF45.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

download

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

ASCII text, with no line terminators

dropped

download

There are 11 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Users\user\Desktop\nIQCsrVbbw.dll

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\nIQCsrVbbw.dll,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nIQCsrVbbw.dll",DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gwwrzypqggddo\faunqcxbnkzdy.fxb",DpwIzoKqIHOYx

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gwwrzypqggddo\faunqcxbnkzdy.fxb",DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Uibizbzyxusffon\lvdcgmwj.xbl",PtnVsXFQteN

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Uibizbzyxusffon\lvdcgmwj.xbl",DllRegisterServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7120 -ip 7120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 512

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6748 -ip 6748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 512

C:\Windows\System32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -p -s BITS

There are 11 hidden processes, click here to show them.

URLs

Name

IP

Malicious

https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz#

unknown

Details

Name:	https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz#
TargetID:	11
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

https://45.138.98.34/

unknown

Details

Name:	https://45.138.98.34/
TargetID:	11
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz

unknown

Details

Name:	https://45.138.98.34:80/pzThWGIkVuQKGXKeHBqdbAz
TargetID:	11
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

https://www.disneyplus.com/legal/your-california-privacy-rights

unknown

Details

Name:	https://www.disneyplus.com/legal/your-california-privacy-rights
TargetID:	22
From Memory:	true
Current Path:	C:\Windows\System32\svchost.exe
Source:	svchost.exe, 00000016.00000003.424406324.000001641CD5D000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424442797.000001641CD80000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424316902.000001641CD70000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424335971.000001641CD80000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.disneyplus.com/legal/privacy-policy

unknown

Details

Name:	https://www.disneyplus.com/legal/privacy-policy
TargetID:	22
From Memory:	true
Current Path:	C:\Windows\System32\svchost.exe
Source:	svchost.exe, 00000016.00000003.424406324.000001641CD5D000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424442797.000001641CD80000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424316902.000001641CD70000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.424335971.000001641CD80000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc1

unknown

Details

Name:	https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc1
TargetID:	11
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc

unknown

Details

Name:	https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAc
TargetID:	11
From Memory:	true
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Source:	rundll32.exe, 0000000B.00000002.691823696.00000000033D6000.00000004.00000001.sdmp, rundll32.exe, 0000000B.00000003.357685602.00000000033D6000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://69.16.218.101:8080/GBwdsVvnKKEsOdMLrBySKnfjLZwMjZtlJDuPNHQIXAcY

unknown