IOC Report

loading gif

Files

File Path
Type
Category
Malicious
PtBIxmYbK8.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_0272cd40\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DF2.tmp.csv
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER62D5.tmp.txt
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA15.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Jan 15 04:03:58 2022, 0x1205a4 type
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC08F.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC533.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61414 bytes, 1 file
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
 clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
modified
 clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
 clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_08b56415\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1607.tmp.csv
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FFB.tmp.txt
data
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CA5.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Jan 15 03:47:54 2022, 0x1205a4 type
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER52DF.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
 clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER57F1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
 clean
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
 malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
 malicious
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\user\Desktop\PtBIxmYbK8.dll
 malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",#1
 malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\PtBIxmYbK8.dll,DllRegisterServer
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
 malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
 malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PtBIxmYbK8.dll",DllRegisterServer
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mjuakgeb\fhtvflqppfnv.wdg",DvMDRtCzK
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mjuakgeb\fhtvflqppfnv.wdg",DllRegisterServer
 malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nvtcylmbo\muiecmoc.icg",BOAeVPaP
 malicious
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nvtcylmbo\muiecmoc.icg",DllRegisterServer
 malicious
C:\Windows\System32\SgrmBroker.exe
C:\Windows\system32\SgrmBroker.exe
 clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6048 -ip 6048
 clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 512
 clean
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
 clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
 clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
 clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 516
 clean
There are 14 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://www.disneyplus.com/legal/your-california-privacy-rights
unknown
 clean
http://crl.ver)
unknown
 clean
https://www.disneyplus.com/legal/privacy-policy
unknown
 clean
http://upx.sf.net
unknown
 clean
https://www.tiktok.com/legal/report/feedback
unknown
 clean
http://help.disneyplus.com.
unknown
 clean
http://schemas.microft8
unknown
 clean
https://disneyplus.com/legal.
unknown
 clean