48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f

Analysis

max time kernel
113s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe
Size

253KB
MD5

55d86f7d4fec3548b1b176c7d9b8b8d1
SHA1

e53a983a6a1ac30869e4964945334d195b4a7648
SHA256

48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f
SHA512

6a3313dd7023e82b075eed4ad094bbe7cc32920ef2894d76ca1202031af26445a52549caafcc8baba9960e7bacb061d598b96405911289f84df2d394e98963b4
SSDEEP

3072:ZY0yj4Gi3dnYxGBMBwK9pTea9cbOPi6Q6cv/VbfSt1gNKRjPsh5zhfRVLdUfijhb:ZY94NYdB1XvqMWmvgNKRjPGlp7nWVp18

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1516	rinst.exe
3148	K2 Trainer.exe
4516	bpk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e61-136.dat	upx
behavioral2/files/0x0006000000022e61-138.dat	upx
behavioral2/memory/3148-160-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3148-162-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rinst.exe

Loads dropped DLL 5 IoCs

pid	Process
4516	bpk.exe
3148	K2 Trainer.exe
4516	bpk.exe
4516	bpk.exe
5048	48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	bpk.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\kw.dat	rinst.exe
File created	C:\Windows\SysWOW64\bpkwb.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\bpkwb.dll"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\bpkwb.dll"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4516	bpk.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4516	bpk.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3148	K2 Trainer.exe
4516	bpk.exe
4516	bpk.exe
4516	bpk.exe
4516	bpk.exe
4516	bpk.exe
4516	bpk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1516	5048	48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe	79
PID 5048 wrote to memory of 1516	5048	48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe	79
PID 5048 wrote to memory of 1516	5048	48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe	79
PID 1516 wrote to memory of 3148	1516	rinst.exe	81
PID 1516 wrote to memory of 3148	1516	rinst.exe	81
PID 1516 wrote to memory of 3148	1516	rinst.exe	81
PID 1516 wrote to memory of 4516	1516	rinst.exe	82
PID 1516 wrote to memory of 4516	1516	rinst.exe	82
PID 1516 wrote to memory of 4516	1516	rinst.exe	82
PID 4516 wrote to memory of 4648	4516	bpk.exe	90
PID 4516 wrote to memory of 4648	4516	bpk.exe	90
PID 4516 wrote to memory of 4648	4516	bpk.exe	90

C:\Users\Admin\AppData\Local\Temp\48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe
"C:\Users\Admin\AppData\Local\Temp\48e2db1ecd5ea2fea5c337f899b6d76237c7ad12734491ccef0545170bf59d2f.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\K2 Trainer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\K2 Trainer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3148
- - C:\Windows\SysWOW64\bpk.exe
    C:\Windows\system32\bpk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} about:blank
      4⤵
      PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\K2 Trainer.exe

Filesize
31KB

MD5
186314f1f61a355ac2ae7f3c88f044cf

SHA1
3182cc8971ec447532fb464cd093794e64f43d43

SHA256
82029d41d12ded406c94969c8901e355d6871dc1e18e1a1d82c05aa4b239b92a

SHA512
3b317cc58c742c7baf277857e33972cd01950ce2ddb85ce7cecca9175c8d5e3c444cfaec7ad821cbafdcaf024840f9a0a765c148d7dd566849f1efef602f73b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\K2 Trainer.exe

Filesize
31KB

MD5
186314f1f61a355ac2ae7f3c88f044cf

SHA1
3182cc8971ec447532fb464cd093794e64f43d43

SHA256
82029d41d12ded406c94969c8901e355d6871dc1e18e1a1d82c05aa4b239b92a

SHA512
3b317cc58c742c7baf277857e33972cd01950ce2ddb85ce7cecca9175c8d5e3c444cfaec7ad821cbafdcaf024840f9a0a765c148d7dd566849f1efef602f73b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
388KB

MD5
d5907401dac04be7086b02244be3050c

SHA1
5f2ad6e9fe52e007c0be2b1114dd88d5b6402be4

SHA256
0df78de18c5c969b4951f6c85962544e85e54cdf0863b7bc86cea85f78a07132

SHA512
d9837238e81e7da59b4379a4ed6072ed1a6945e86e76aee2fa8ad79ffdc890dba0f88a02982f62d4ac49306a1e337afd948e9589bd5cf4a8e0fee091e3c4dcfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
8KB

MD5
fac3873f279dce7bec4a0c12662052d8

SHA1
681756ce3c5c17f52965629d3a45f55afb8d947a

SHA256
03057578ba9b9e229326403b0aa0ae8538132c9c6f9ab9e43ef8ef563053f25d

SHA512
394b808074b9943e831d7178f448755d75a7fbdf91835234b8d4ce5cb894e5829c38498173271b67d59b1449189f5d878f71ed6513ef341016ca00f13a2abf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

Filesize
40KB

MD5
30a9d7a4178385b41a5a6209c6096dce

SHA1
0584354b99f17d45ae94efbbf9235d921870ea9a

SHA256
eb6fedaba26f0b49566343b03ed32b22f6757ff327554a3353c7121995e04fc5

SHA512
f74d3d3a7c44f5174833072691eb09035f06de8bd16d4afb17370b3336882ab6e974ad6d4b9875364ab26853e48f8ccbe72534630e19c02d9eacb8ae8483aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
8e3a50682fe644998934eef56937c723

SHA1
8438672d53513de3f6644cf656af818c4b3631e2

SHA256
4e854262d6a4cb5707664a0c16018a478ec99ba4b7039522b87e6def819d6ecf

SHA512
0564dce8bb2acb1ad9f954131883e38718248bf84b0712767cbf2c83ebc80d765f2be90556880112caa53c558ab4567fcf00e4cfdb58b0e31605d38f0ba6f507

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kw.dat

Filesize
72B

MD5
6e7ef5e11d101ecbb9a59df5ea3797e2

SHA1
c9089c42898612f70f5d6c1b8a8d00786c974c9d

SHA256
0712499341ed67de45d5fe5133fd056e8d2267a802303ebc7bf276c5386b219b

SHA512
121bd20e3165fe8c86887d745b965bf716a8e26ae0253910d086d0643326969c36d2d87cab0577ab0dccd63bf826589a29108fc94ce2de331cb056db377618bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
3KB

MD5
5ac215a71e0cfbcc15ba30040df514c1

SHA1
1cf88c070aa191350dca2a85437717b8f35fc355

SHA256
bacebfbe74ad33ce1bd90fcb4098dc1d3ec428e8e5bb72e2d72dfd288e2a511c

SHA512
ed26039a26b50a1688eed8a76f12386623967bc59b470c0a5f1212dd29fa2618d9a20a620cdf1e84dffabdf5a02bccc78d1d51ab4a2e76f3c1914937e3db6c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
c2945ee5c57f33f8bbb6a4f6d539180b

SHA1
64c958603de6a1db225752e9abb87222faf24c68

SHA256
b6c83639513169d01356a02db1631e8f28320c8ed0cd9f485d5433d13616f349

SHA512
8bdd657d45ed8720c92dad611f5c41c0e8e6602444232ce23b0258a8a8c1b194b1ad6498f25292c29ed7b8deb42b220245130a87f54b34d49dd250fb31f149d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
c2945ee5c57f33f8bbb6a4f6d539180b

SHA1
64c958603de6a1db225752e9abb87222faf24c68

SHA256
b6c83639513169d01356a02db1631e8f28320c8ed0cd9f485d5433d13616f349

SHA512
8bdd657d45ed8720c92dad611f5c41c0e8e6602444232ce23b0258a8a8c1b194b1ad6498f25292c29ed7b8deb42b220245130a87f54b34d49dd250fb31f149d4

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
388KB

MD5
0579a3ade48160490f11e7fd76ac979f

SHA1
f50361131af2b98c8e03c5fec0d5e72f4be5ff65

SHA256
449d479776f1e6b1cb88fdc81eb88b2dde423e53c648ad19a17d27d82717512d

SHA512
a97ef3f04ed4207e369ced8e9f21e31c33051555279736ade7b76494b8177ae13c91942e83e0d58e52b663625bd666897e97b23fe8ef61964e042b7a8d831de7

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
388KB

MD5
0579a3ade48160490f11e7fd76ac979f

SHA1
f50361131af2b98c8e03c5fec0d5e72f4be5ff65

SHA256
449d479776f1e6b1cb88fdc81eb88b2dde423e53c648ad19a17d27d82717512d

SHA512
a97ef3f04ed4207e369ced8e9f21e31c33051555279736ade7b76494b8177ae13c91942e83e0d58e52b663625bd666897e97b23fe8ef61964e042b7a8d831de7

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
8KB

MD5
a9bce1d47adb3f7779809adc1c04726d

SHA1
265b2cd93ba894477c6a9d45b0c9ab65ea88d3b4

SHA256
8f70fee209f1ff4fde13b865618751e3c8cdfb454bb1b964f07c9af90e69be94

SHA512
ea6b0d8f2c0768c6e1e147c132c24a085c4174fb7ec565d23c774bffebae28c53a2ab60d3d279879a42f904cabb4e5268e767a44773eac648721335817fdacdb

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
8KB

MD5
a9bce1d47adb3f7779809adc1c04726d

SHA1
265b2cd93ba894477c6a9d45b0c9ab65ea88d3b4

SHA256
8f70fee209f1ff4fde13b865618751e3c8cdfb454bb1b964f07c9af90e69be94

SHA512
ea6b0d8f2c0768c6e1e147c132c24a085c4174fb7ec565d23c774bffebae28c53a2ab60d3d279879a42f904cabb4e5268e767a44773eac648721335817fdacdb

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
8KB

MD5
a9bce1d47adb3f7779809adc1c04726d

SHA1
265b2cd93ba894477c6a9d45b0c9ab65ea88d3b4

SHA256
8f70fee209f1ff4fde13b865618751e3c8cdfb454bb1b964f07c9af90e69be94

SHA512
ea6b0d8f2c0768c6e1e147c132c24a085c4174fb7ec565d23c774bffebae28c53a2ab60d3d279879a42f904cabb4e5268e767a44773eac648721335817fdacdb

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
8KB

MD5
a9bce1d47adb3f7779809adc1c04726d

SHA1
265b2cd93ba894477c6a9d45b0c9ab65ea88d3b4

SHA256
8f70fee209f1ff4fde13b865618751e3c8cdfb454bb1b964f07c9af90e69be94

SHA512
ea6b0d8f2c0768c6e1e147c132c24a085c4174fb7ec565d23c774bffebae28c53a2ab60d3d279879a42f904cabb4e5268e767a44773eac648721335817fdacdb

Download Submit
C:\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
f5cd91b683eed55da373d54fac54d52d

SHA1
83665074e3ee67dae8d0d8010a1bb07d3a6c7ef0

SHA256
815f893e764eb040fa19e35b66cbc04c469144575039817de0f8548f39f8327d

SHA512
57f74a66057472c1ebb28f666e1478797a8fb1a3b37596ba9d99930e6b6bfb98e2bb30329c31d691f75043d286db2b6d77145b6e9f42801f0719aab77712c0d9

Download Submit
C:\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
f5cd91b683eed55da373d54fac54d52d

SHA1
83665074e3ee67dae8d0d8010a1bb07d3a6c7ef0

SHA256
815f893e764eb040fa19e35b66cbc04c469144575039817de0f8548f39f8327d

SHA512
57f74a66057472c1ebb28f666e1478797a8fb1a3b37596ba9d99930e6b6bfb98e2bb30329c31d691f75043d286db2b6d77145b6e9f42801f0719aab77712c0d9

Download Submit
C:\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
f5cd91b683eed55da373d54fac54d52d

SHA1
83665074e3ee67dae8d0d8010a1bb07d3a6c7ef0

SHA256
815f893e764eb040fa19e35b66cbc04c469144575039817de0f8548f39f8327d

SHA512
57f74a66057472c1ebb28f666e1478797a8fb1a3b37596ba9d99930e6b6bfb98e2bb30329c31d691f75043d286db2b6d77145b6e9f42801f0719aab77712c0d9

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
996B

MD5
8e3a50682fe644998934eef56937c723

SHA1
8438672d53513de3f6644cf656af818c4b3631e2

SHA256
4e854262d6a4cb5707664a0c16018a478ec99ba4b7039522b87e6def819d6ecf

SHA512
0564dce8bb2acb1ad9f954131883e38718248bf84b0712767cbf2c83ebc80d765f2be90556880112caa53c558ab4567fcf00e4cfdb58b0e31605d38f0ba6f507

Download Submit
C:\Windows\SysWOW64\kw.dat

Filesize
72B

MD5
124d2961378154312a32266e5790d980

SHA1
6056f762702540d5c0e3a6cff6692b4f9123cf42

SHA256
d289324358836cede0fea65f63a404e81fe7a5b3b261b9fac1ca9ade7186da58

SHA512
122b73a1e0445127320604431fef6d8eba5ef211236d98b2ad7909691b678d0a42217da2d97a752454ab24b396529849872502e1adfa855d93abf1ee18509ca5

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
3KB

MD5
c8052859979aecb6138915291e5ad66e

SHA1
bd34db72689c236e7571838a0aaebce3c6e5b848

SHA256
47a5b55cd823cfe206c6946876973438f707e28993d7337746df9b692e15ade4

SHA512
27580f274dea9360f3cdc3a413537c627639d16713ce0d01d05426c45d8d834ae63f602b1c099bc8e39b502428a7cd153153e4278717ecfb5a8120c3550c117f

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
7KB

MD5
c2945ee5c57f33f8bbb6a4f6d539180b

SHA1
64c958603de6a1db225752e9abb87222faf24c68

SHA256
b6c83639513169d01356a02db1631e8f28320c8ed0cd9f485d5433d13616f349

SHA512
8bdd657d45ed8720c92dad611f5c41c0e8e6602444232ce23b0258a8a8c1b194b1ad6498f25292c29ed7b8deb42b220245130a87f54b34d49dd250fb31f149d4

Download Submit
memory/3148-160-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3148-162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4516-159-0x00000000027E1000-0x00000000027E5000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads