Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 02:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
inst_funnyhuvr.exe
Resource
win7-20231129-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
inst_funnyhuvr.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
inst_funnyhuvr.exe
-
Size
247KB
-
MD5
129ca560af2348743af1c6405b5f1369
-
SHA1
91407d397b1f14c4a79cb305b396b4ab10254859
-
SHA256
c890242b2bc88e9224ef49609c783ae33e2fbc0c01e5670a010a2d2b467edb2f
-
SHA512
820ce89dc61c1e828ca9817b8f64dd5be8b2b72ee30221fde19f7143292fb029e7182a613b577a9f7db3dac59ccc7d304f1b60702f78d7a191c94e3ecbca1ed1
-
SSDEEP
6144:SY94NTI3EyQoLp+qgueQDbQNE8yWMBMkzNkfG5:R9Ox7Ip+qgUbQnaifa
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2180 rinst.exe 1924 funny.exe 2588 bpk.exe 2592 Tonghop1.exe 2568 Tonghop1.exe 2484 Tonghop1.exe 2552 Tonghop1.exe 2892 Tonghop1.exe 1668 Tonghop1.exe 2932 Tonghop1.exe 1528 Tonghop1.exe 2500 Tonghop1.exe 1948 Tonghop1.exe 1944 Tonghop1.exe 1916 Tonghop1.exe 1324 Tonghop1.exe 2492 Tonghop1.exe 2692 Tonghop1.exe 3060 Tonghop1.exe 2732 Tonghop1.exe 2768 Tonghop1.exe 1468 Tonghop1.exe 1200 Tonghop1.exe 1652 Tonghop1.exe 1208 Tonghop1.exe 2260 Tonghop1.exe 2072 Tonghop1.exe 2084 Tonghop1.exe 772 Tonghop1.exe 728 Tonghop1.exe 1644 Tonghop1.exe 1444 Tonghop1.exe 1428 Tonghop1.exe 1316 Tonghop1.exe 632 Tonghop1.exe 2944 Tonghop1.exe 452 Tonghop1.exe 1304 Tonghop1.exe 2776 Tonghop1.exe 2292 Tonghop1.exe 1712 Tonghop1.exe 1440 Tonghop1.exe 1816 Tonghop1.exe 1812 Tonghop1.exe 1128 Tonghop1.exe 2132 Tonghop1.exe 1880 Tonghop1.exe 1112 Tonghop1.exe 908 Tonghop1.exe 3000 Tonghop1.exe 1036 Tonghop1.exe 2844 Tonghop1.exe 2860 Tonghop1.exe 2840 Tonghop1.exe 3056 Tonghop1.exe 2124 Tonghop1.exe 3004 Tonghop1.exe 2936 Tonghop1.exe 1708 Tonghop1.exe 844 Tonghop1.exe 2288 Tonghop1.exe 2372 Tonghop1.exe 1464 Tonghop1.exe 1608 Tonghop1.exe -
Loads dropped DLL 64 IoCs
pid Process 2340 inst_funnyhuvr.exe 2340 inst_funnyhuvr.exe 2340 inst_funnyhuvr.exe 2340 inst_funnyhuvr.exe 2180 rinst.exe 2180 rinst.exe 2180 rinst.exe 2180 rinst.exe 1924 funny.exe 1924 funny.exe 2592 Tonghop1.exe 2592 Tonghop1.exe 2568 Tonghop1.exe 2568 Tonghop1.exe 2484 Tonghop1.exe 2588 bpk.exe 2568 Tonghop1.exe 2484 Tonghop1.exe 2588 bpk.exe 2484 Tonghop1.exe 2552 Tonghop1.exe 2592 Tonghop1.exe 1924 funny.exe 2552 Tonghop1.exe 2552 Tonghop1.exe 2892 Tonghop1.exe 2892 Tonghop1.exe 2892 Tonghop1.exe 1668 Tonghop1.exe 1668 Tonghop1.exe 1668 Tonghop1.exe 2932 Tonghop1.exe 2932 Tonghop1.exe 2932 Tonghop1.exe 1528 Tonghop1.exe 1528 Tonghop1.exe 1528 Tonghop1.exe 2500 Tonghop1.exe 2500 Tonghop1.exe 2500 Tonghop1.exe 1948 Tonghop1.exe 1948 Tonghop1.exe 1948 Tonghop1.exe 1944 Tonghop1.exe 1944 Tonghop1.exe 1916 Tonghop1.exe 1944 Tonghop1.exe 1916 Tonghop1.exe 1324 Tonghop1.exe 1916 Tonghop1.exe 1324 Tonghop1.exe 2492 Tonghop1.exe 2492 Tonghop1.exe 2692 Tonghop1.exe 2492 Tonghop1.exe 2692 Tonghop1.exe 1324 Tonghop1.exe 3060 Tonghop1.exe 3060 Tonghop1.exe 2732 Tonghop1.exe 2732 Tonghop1.exe 2768 Tonghop1.exe 2692 Tonghop1.exe 3060 Tonghop1.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tonghop1 = "C:\\Windows\\system32\\Tonghop1.exe" Process not Found -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" bpk.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logoff = "WLELogoff" Tonghop1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Tonghop1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Impersonate = "0" Tonghop1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\DllName = "Tonghop1.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\DllName = "Tonghop1.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Tonghop1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logon = "WLELogon" Tonghop1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Asynchronous = "0" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Shutdown = "WLEShutdown" Tonghop1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Impersonate = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Shutdown = "WLEShutdown" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\DllName = "Tonghop1.dll" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StartScreenSaver = "WLEStartScreenSaver" Tonghop1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Asynchronous = "0" Tonghop1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Impersonate = "0" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StartScreenSaver = "WLEStartScreenSaver" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\DllName = "Tonghop1.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Startup = "WLEStartup" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Impersonate = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\DllName = "Tonghop1.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logon = "WLELogon" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StartScreenSaver = "WLEStartScreenSaver" Tonghop1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logoff = "WLELogoff" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Unlock = "WLEUnlock" Tonghop1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Impersonate = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1 Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Unlock = "WLEUnlock" Tonghop1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\StopScreenSaver = "WLEStopScreenSaver" Tonghop1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Tonghop1\Lock = "WLELock" Tonghop1.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Process not Found File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe File created C:\Windows\SysWOW64\Tonghop1.exe Tonghop1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2588 bpk.exe 2588 bpk.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe 2588 bpk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2180 2340 inst_funnyhuvr.exe 28 PID 2340 wrote to memory of 2180 2340 inst_funnyhuvr.exe 28 PID 2340 wrote to memory of 2180 2340 inst_funnyhuvr.exe 28 PID 2340 wrote to memory of 2180 2340 inst_funnyhuvr.exe 28 PID 2180 wrote to memory of 1924 2180 rinst.exe 29 PID 2180 wrote to memory of 1924 2180 rinst.exe 29 PID 2180 wrote to memory of 1924 2180 rinst.exe 29 PID 2180 wrote to memory of 1924 2180 rinst.exe 29 PID 2180 wrote to memory of 2588 2180 rinst.exe 30 PID 2180 wrote to memory of 2588 2180 rinst.exe 30 PID 2180 wrote to memory of 2588 2180 rinst.exe 30 PID 2180 wrote to memory of 2588 2180 rinst.exe 30 PID 1924 wrote to memory of 2592 1924 funny.exe 31 PID 1924 wrote to memory of 2592 1924 funny.exe 31 PID 1924 wrote to memory of 2592 1924 funny.exe 31 PID 1924 wrote to memory of 2592 1924 funny.exe 31 PID 2592 wrote to memory of 2568 2592 Tonghop1.exe 32 PID 2592 wrote to memory of 2568 2592 Tonghop1.exe 32 PID 2592 wrote to memory of 2568 2592 Tonghop1.exe 32 PID 2592 wrote to memory of 2568 2592 Tonghop1.exe 32 PID 2568 wrote to memory of 2484 2568 Tonghop1.exe 33 PID 2568 wrote to memory of 2484 2568 Tonghop1.exe 33 PID 2568 wrote to memory of 2484 2568 Tonghop1.exe 33 PID 2568 wrote to memory of 2484 2568 Tonghop1.exe 33 PID 2484 wrote to memory of 2552 2484 Tonghop1.exe 34 PID 2484 wrote to memory of 2552 2484 Tonghop1.exe 34 PID 2484 wrote to memory of 2552 2484 Tonghop1.exe 34 PID 2484 wrote to memory of 2552 2484 Tonghop1.exe 34 PID 2552 wrote to memory of 2892 2552 Tonghop1.exe 35 PID 2552 wrote to memory of 2892 2552 Tonghop1.exe 35 PID 2552 wrote to memory of 2892 2552 Tonghop1.exe 35 PID 2552 wrote to memory of 2892 2552 Tonghop1.exe 35 PID 2892 wrote to memory of 1668 2892 Tonghop1.exe 36 PID 2892 wrote to memory of 1668 2892 Tonghop1.exe 36 PID 2892 wrote to memory of 1668 2892 Tonghop1.exe 36 PID 2892 wrote to memory of 1668 2892 Tonghop1.exe 36 PID 1668 wrote to memory of 2932 1668 Tonghop1.exe 37 PID 1668 wrote to memory of 2932 1668 Tonghop1.exe 37 PID 1668 wrote to memory of 2932 1668 Tonghop1.exe 37 PID 1668 wrote to memory of 2932 1668 Tonghop1.exe 37 PID 2932 wrote to memory of 1528 2932 Tonghop1.exe 38 PID 2932 wrote to memory of 1528 2932 Tonghop1.exe 38 PID 2932 wrote to memory of 1528 2932 Tonghop1.exe 38 PID 2932 wrote to memory of 1528 2932 Tonghop1.exe 38 PID 1528 wrote to memory of 2500 1528 Tonghop1.exe 39 PID 1528 wrote to memory of 2500 1528 Tonghop1.exe 39 PID 1528 wrote to memory of 2500 1528 Tonghop1.exe 39 PID 1528 wrote to memory of 2500 1528 Tonghop1.exe 39 PID 2500 wrote to memory of 1948 2500 Tonghop1.exe 40 PID 2500 wrote to memory of 1948 2500 Tonghop1.exe 40 PID 2500 wrote to memory of 1948 2500 Tonghop1.exe 40 PID 2500 wrote to memory of 1948 2500 Tonghop1.exe 40 PID 1948 wrote to memory of 1944 1948 Tonghop1.exe 41 PID 1948 wrote to memory of 1944 1948 Tonghop1.exe 41 PID 1948 wrote to memory of 1944 1948 Tonghop1.exe 41 PID 1948 wrote to memory of 1944 1948 Tonghop1.exe 41 PID 1944 wrote to memory of 1916 1944 Tonghop1.exe 42 PID 1944 wrote to memory of 1916 1944 Tonghop1.exe 42 PID 1944 wrote to memory of 1916 1944 Tonghop1.exe 42 PID 1944 wrote to memory of 1916 1944 Tonghop1.exe 42 PID 1916 wrote to memory of 1324 1916 Tonghop1.exe 43 PID 1916 wrote to memory of 1324 1916 Tonghop1.exe 43 PID 1916 wrote to memory of 1324 1916 Tonghop1.exe 43 PID 1916 wrote to memory of 1324 1916 Tonghop1.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\inst_funnyhuvr.exe"C:\Users\Admin\AppData\Local\Temp\inst_funnyhuvr.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\funny.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\funny.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:2492 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe22⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe23⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe24⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe25⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe26⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe27⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe28⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe29⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe30⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe31⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe32⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe33⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe34⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe35⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe36⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe37⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe38⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe39⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe40⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe42⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe43⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe44⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe45⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe46⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe47⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe48⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe49⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe51⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe52⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2844 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe53⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe55⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe56⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe57⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe58⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2936 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe59⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe60⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe61⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe62⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe63⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe64⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe65⤵PID:1604
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe66⤵PID:2164
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe67⤵PID:2212
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe68⤵PID:1744
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe69⤵PID:2788
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe70⤵PID:1884
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe71⤵PID:2720
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe72⤵PID:2648
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe73⤵PID:2628
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe74⤵PID:2580
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe76⤵PID:2572
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe77⤵PID:2616
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe78⤵PID:2456
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe79⤵PID:2188
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe80⤵PID:2556
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe81⤵PID:2780
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe82⤵PID:2708
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe83⤵PID:2684
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe84⤵PID:2428
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe85⤵PID:2452
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe86⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe87⤵PID:3016
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe88⤵PID:1704
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe89⤵
- Adds Run key to start application
PID:2680 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe90⤵PID:1228
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe91⤵PID:1432
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe92⤵PID:2728
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe93⤵PID:1160
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe94⤵
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe95⤵
- Modifies WinLogon
PID:3096 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe96⤵PID:3112
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe97⤵PID:3128
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe98⤵PID:3144
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe99⤵PID:3164
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe100⤵PID:3180
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe101⤵PID:3200
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe102⤵PID:3220
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe103⤵PID:3232
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe104⤵PID:3248
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe105⤵
- Adds Run key to start application
- Modifies WinLogon
PID:3264 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe106⤵PID:3280
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe107⤵PID:3296
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe108⤵PID:3312
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe109⤵PID:3328
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe110⤵PID:3344
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe111⤵PID:3360
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe112⤵PID:3376
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe113⤵PID:3392
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe114⤵PID:3408
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe115⤵PID:3424
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe116⤵PID:3440
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe117⤵PID:3456
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe118⤵PID:3472
-
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe119⤵
- Drops file in System32 directory
PID:3488 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe120⤵
- Adds Run key to start application
PID:3504 -
C:\Windows\SysWOW64\Tonghop1.exeC:\Windows\system32\Tonghop1.exe121⤵PID:3520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-