Analysis
-
max time kernel
153s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 16:34
Static task
static1
Behavioral task
behavioral1
Sample
04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe
-
Size
273KB
-
MD5
aad7e430001c57547416b6dcfe3b29a4
-
SHA1
5b38dfecfc0e7c7cecf542e8191166333e74c548
-
SHA256
04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991
-
SHA512
fc8d7cc0ac1eca9071eda613649bc3a0746eabf319870af930e17876001ae103acc5b57b24e7c3fc6aa8f84aaa7ba7b4c7475b68dd48c452990629746fa47fe7
-
SSDEEP
6144:mY94NIKotWI35Deg5NEezflAGrEyueeQHEj69Y8P0jI:N9OSX7HflXIME6xPB
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1080 rinst.exe 1800 dichvum4gvn1.exe 1020 bpk.exe 1280 dichvum4gvn1.exe 520 dichvum4gvn1.exe 528 dichvum4gvn1.exe 1464 dichvum4gvn1.exe 1744 dichvum4gvn1.exe 852 dichvum4gvn1.exe 1836 dichvum4gvn1.exe 1368 dichvum4gvn1.exe 1808 dichvum4gvn1.exe 1040 dichvum4gvn1.exe 1356 dichvum4gvn1.exe 1520 dichvum4gvn1.exe 2028 dichvum4gvn1.exe 2032 dichvum4gvn1.exe 1128 dichvum4gvn1.exe 1600 dichvum4gvn1.exe 1792 dichvum4gvn1.exe 876 dichvum4gvn1.exe 984 dichvum4gvn1.exe 2036 dichvum4gvn1.exe 904 dichvum4gvn1.exe 844 dichvum4gvn1.exe 644 dichvum4gvn1.exe 2016 dichvum4gvn1.exe 1488 dichvum4gvn1.exe 1344 dichvum4gvn1.exe 848 dichvum4gvn1.exe 1944 dichvum4gvn1.exe 1056 dichvum4gvn1.exe 1804 dichvum4gvn1.exe 2008 dichvum4gvn1.exe 1548 dichvum4gvn1.exe 732 dichvum4gvn1.exe 976 dichvum4gvn1.exe 900 dichvum4gvn1.exe 512 dichvum4gvn1.exe 1768 dichvum4gvn1.exe 2040 dichvum4gvn1.exe 1256 dichvum4gvn1.exe 1932 dichvum4gvn1.exe 1532 dichvum4gvn1.exe 1364 dichvum4gvn1.exe 816 dichvum4gvn1.exe 992 dichvum4gvn1.exe 1592 dichvum4gvn1.exe 912 dichvum4gvn1.exe 2000 dichvum4gvn1.exe 428 dichvum4gvn1.exe 1084 dichvum4gvn1.exe 2044 dichvum4gvn1.exe 2060 dichvum4gvn1.exe 2080 dichvum4gvn1.exe 2100 dichvum4gvn1.exe 2120 dichvum4gvn1.exe 2140 dichvum4gvn1.exe 2160 dichvum4gvn1.exe 2180 dichvum4gvn1.exe 2200 dichvum4gvn1.exe 2220 dichvum4gvn1.exe 2240 dichvum4gvn1.exe 2260 dichvum4gvn1.exe -
Loads dropped DLL 64 IoCs
pid Process 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 1080 rinst.exe 1080 rinst.exe 1080 rinst.exe 1080 rinst.exe 1800 dichvum4gvn1.exe 1800 dichvum4gvn1.exe 1280 dichvum4gvn1.exe 1280 dichvum4gvn1.exe 520 dichvum4gvn1.exe 520 dichvum4gvn1.exe 528 dichvum4gvn1.exe 528 dichvum4gvn1.exe 1464 dichvum4gvn1.exe 1464 dichvum4gvn1.exe 1744 dichvum4gvn1.exe 1744 dichvum4gvn1.exe 852 dichvum4gvn1.exe 852 dichvum4gvn1.exe 1836 dichvum4gvn1.exe 1836 dichvum4gvn1.exe 1368 dichvum4gvn1.exe 1368 dichvum4gvn1.exe 1808 dichvum4gvn1.exe 1808 dichvum4gvn1.exe 1040 dichvum4gvn1.exe 1040 dichvum4gvn1.exe 1356 dichvum4gvn1.exe 1356 dichvum4gvn1.exe 1520 dichvum4gvn1.exe 1520 dichvum4gvn1.exe 2028 dichvum4gvn1.exe 2028 dichvum4gvn1.exe 2032 dichvum4gvn1.exe 2032 dichvum4gvn1.exe 1128 dichvum4gvn1.exe 1128 dichvum4gvn1.exe 1600 dichvum4gvn1.exe 1600 dichvum4gvn1.exe 1792 dichvum4gvn1.exe 1792 dichvum4gvn1.exe 876 dichvum4gvn1.exe 876 dichvum4gvn1.exe 984 dichvum4gvn1.exe 984 dichvum4gvn1.exe 2036 dichvum4gvn1.exe 2036 dichvum4gvn1.exe 904 dichvum4gvn1.exe 904 dichvum4gvn1.exe 844 dichvum4gvn1.exe 844 dichvum4gvn1.exe 644 dichvum4gvn1.exe 644 dichvum4gvn1.exe 2016 dichvum4gvn1.exe 2016 dichvum4gvn1.exe 1488 dichvum4gvn1.exe 1488 dichvum4gvn1.exe 1344 dichvum4gvn1.exe 1344 dichvum4gvn1.exe 848 dichvum4gvn1.exe 848 dichvum4gvn1.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dichvum4gvn1 = "C:\\Windows\\system32\\dichvum4gvn1.exe" dichvum4gvn1.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Startup = "WLEStartup" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\DllName = "dichvum4gvn1.dll" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Asynchronous = "0" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Impersonate = "0" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1 dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Unlock = "WLEUnlock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Logon = "WLELogon" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Asynchronous = "0" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Asynchronous = "0" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Asynchronous = "0" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Logoff = "WLELogoff" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\DllName = "dichvum4gvn1.dll" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Unlock = "WLEUnlock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Unlock = "WLEUnlock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Impersonate = "0" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StopScreenSaver = "WLEStopScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Logoff = "WLELogoff" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\DllName = "dichvum4gvn1.dll" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Impersonate = "0" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Lock = "WLELock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\DllName = "dichvum4gvn1.dll" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\DllName = "dichvum4gvn1.dll" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Startup = "WLEStartup" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1 dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\DllName = "dichvum4gvn1.dll" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Shutdown = "WLEShutdown" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Asynchronous = "0" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Startup = "WLEStartup" dichvum4gvn1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1 dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Unlock = "WLEUnlock" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\StartScreenSaver = "WLEStartScreenSaver" dichvum4gvn1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dichvum4gvn1\Asynchronous = "0" dichvum4gvn1.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File opened for modification C:\Windows\SysWOW64\dichvum4gvn1.dll dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\inst.dat rinst.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe File created C:\Windows\SysWOW64\dichvum4gvn1.exe dichvum4gvn1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 bpk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1020 bpk.exe 1020 bpk.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe 1020 bpk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1080 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 27 PID 1148 wrote to memory of 1080 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 27 PID 1148 wrote to memory of 1080 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 27 PID 1148 wrote to memory of 1080 1148 04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe 27 PID 1080 wrote to memory of 1800 1080 rinst.exe 28 PID 1080 wrote to memory of 1800 1080 rinst.exe 28 PID 1080 wrote to memory of 1800 1080 rinst.exe 28 PID 1080 wrote to memory of 1800 1080 rinst.exe 28 PID 1080 wrote to memory of 1020 1080 rinst.exe 29 PID 1080 wrote to memory of 1020 1080 rinst.exe 29 PID 1080 wrote to memory of 1020 1080 rinst.exe 29 PID 1080 wrote to memory of 1020 1080 rinst.exe 29 PID 1800 wrote to memory of 1280 1800 dichvum4gvn1.exe 30 PID 1800 wrote to memory of 1280 1800 dichvum4gvn1.exe 30 PID 1800 wrote to memory of 1280 1800 dichvum4gvn1.exe 30 PID 1800 wrote to memory of 1280 1800 dichvum4gvn1.exe 30 PID 1280 wrote to memory of 520 1280 dichvum4gvn1.exe 31 PID 1280 wrote to memory of 520 1280 dichvum4gvn1.exe 31 PID 1280 wrote to memory of 520 1280 dichvum4gvn1.exe 31 PID 1280 wrote to memory of 520 1280 dichvum4gvn1.exe 31 PID 520 wrote to memory of 528 520 dichvum4gvn1.exe 32 PID 520 wrote to memory of 528 520 dichvum4gvn1.exe 32 PID 520 wrote to memory of 528 520 dichvum4gvn1.exe 32 PID 520 wrote to memory of 528 520 dichvum4gvn1.exe 32 PID 528 wrote to memory of 1464 528 dichvum4gvn1.exe 33 PID 528 wrote to memory of 1464 528 dichvum4gvn1.exe 33 PID 528 wrote to memory of 1464 528 dichvum4gvn1.exe 33 PID 528 wrote to memory of 1464 528 dichvum4gvn1.exe 33 PID 1464 wrote to memory of 1744 1464 dichvum4gvn1.exe 34 PID 1464 wrote to memory of 1744 1464 dichvum4gvn1.exe 34 PID 1464 wrote to memory of 1744 1464 dichvum4gvn1.exe 34 PID 1464 wrote to memory of 1744 1464 dichvum4gvn1.exe 34 PID 1744 wrote to memory of 852 1744 dichvum4gvn1.exe 35 PID 1744 wrote to memory of 852 1744 dichvum4gvn1.exe 35 PID 1744 wrote to memory of 852 1744 dichvum4gvn1.exe 35 PID 1744 wrote to memory of 852 1744 dichvum4gvn1.exe 35 PID 852 wrote to memory of 1836 852 dichvum4gvn1.exe 36 PID 852 wrote to memory of 1836 852 dichvum4gvn1.exe 36 PID 852 wrote to memory of 1836 852 dichvum4gvn1.exe 36 PID 852 wrote to memory of 1836 852 dichvum4gvn1.exe 36 PID 1836 wrote to memory of 1368 1836 dichvum4gvn1.exe 37 PID 1836 wrote to memory of 1368 1836 dichvum4gvn1.exe 37 PID 1836 wrote to memory of 1368 1836 dichvum4gvn1.exe 37 PID 1836 wrote to memory of 1368 1836 dichvum4gvn1.exe 37 PID 1368 wrote to memory of 1808 1368 dichvum4gvn1.exe 38 PID 1368 wrote to memory of 1808 1368 dichvum4gvn1.exe 38 PID 1368 wrote to memory of 1808 1368 dichvum4gvn1.exe 38 PID 1368 wrote to memory of 1808 1368 dichvum4gvn1.exe 38 PID 1808 wrote to memory of 1040 1808 dichvum4gvn1.exe 39 PID 1808 wrote to memory of 1040 1808 dichvum4gvn1.exe 39 PID 1808 wrote to memory of 1040 1808 dichvum4gvn1.exe 39 PID 1808 wrote to memory of 1040 1808 dichvum4gvn1.exe 39 PID 1040 wrote to memory of 1356 1040 dichvum4gvn1.exe 40 PID 1040 wrote to memory of 1356 1040 dichvum4gvn1.exe 40 PID 1040 wrote to memory of 1356 1040 dichvum4gvn1.exe 40 PID 1040 wrote to memory of 1356 1040 dichvum4gvn1.exe 40 PID 1356 wrote to memory of 1520 1356 dichvum4gvn1.exe 41 PID 1356 wrote to memory of 1520 1356 dichvum4gvn1.exe 41 PID 1356 wrote to memory of 1520 1356 dichvum4gvn1.exe 41 PID 1356 wrote to memory of 1520 1356 dichvum4gvn1.exe 41 PID 1520 wrote to memory of 2028 1520 dichvum4gvn1.exe 42 PID 1520 wrote to memory of 2028 1520 dichvum4gvn1.exe 42 PID 1520 wrote to memory of 2028 1520 dichvum4gvn1.exe 42 PID 1520 wrote to memory of 2028 1520 dichvum4gvn1.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe"C:\Users\Admin\AppData\Local\Temp\04e0d3b87f41a71512400ca6df0875a22a6672dc4fb57f42d990fc248942c991.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dichvum4gvn1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\dichvum4gvn1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1128 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:984 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1488 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:1344 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe31⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe32⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe33⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe34⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe35⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:732 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe37⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe38⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:512 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe40⤵
- Executes dropped EXE
- Modifies WinLogon
PID:1768 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe41⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2040 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe42⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1256 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe44⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1532 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe45⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe46⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe47⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe48⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe49⤵
- Executes dropped EXE
- Adds Run key to start application
PID:912 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe50⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe51⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe53⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe54⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe55⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2080 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe56⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2120 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe58⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe59⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe60⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2180 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe61⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe62⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe63⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe64⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2260 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe65⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe66⤵PID:2296
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe67⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe68⤵PID:2328
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe69⤵PID:2344
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe70⤵PID:2360
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe71⤵
- Modifies WinLogon
PID:2376 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe72⤵
- Adds Run key to start application
PID:2392 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe73⤵PID:2408
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe74⤵
- Modifies WinLogon
PID:2424 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe75⤵
- Adds Run key to start application
PID:2444 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe76⤵PID:2460
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe77⤵PID:2480
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe78⤵
- Modifies WinLogon
PID:2496 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe79⤵PID:2524
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe80⤵
- Modifies WinLogon
PID:2540 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe81⤵PID:2556
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe82⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe83⤵
- Adds Run key to start application
PID:2596 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe84⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe85⤵PID:2628
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe86⤵PID:2644
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe87⤵PID:2660
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe88⤵
- Modifies WinLogon
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe89⤵PID:2692
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe90⤵PID:2708
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe91⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe92⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe93⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe94⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe95⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe96⤵PID:2804
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe97⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe98⤵PID:2836
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe99⤵PID:2852
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe100⤵
- Modifies WinLogon
PID:2868 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe101⤵PID:2884
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe102⤵
- Modifies WinLogon
PID:2900 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe103⤵
- Modifies WinLogon
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe104⤵PID:2932
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe105⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe106⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe107⤵PID:2980
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe108⤵
- Modifies WinLogon
PID:2996 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe109⤵
- Adds Run key to start application
PID:3012 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe110⤵PID:3028
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe111⤵
- Adds Run key to start application
- Modifies WinLogon
PID:3044 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe112⤵
- Modifies WinLogon
PID:3060 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe113⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe114⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe115⤵
- Modifies WinLogon
PID:2136 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe116⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe117⤵
- Adds Run key to start application
PID:2216 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe118⤵
- Adds Run key to start application
PID:2256 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe119⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe120⤵PID:2368
-
C:\Windows\SysWOW64\dichvum4gvn1.exeC:\Windows\system32\dichvum4gvn1.exe121⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-