41382cfbae7f9f320aeff2643eaac03f9d1a2c7be805d84765e2b5d1390add6c

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe
Size

2.0MB
MD5

248ade85fbaff90a6873f850ec336032
SHA1

407024c7150ed988220c067dba468e941d09272a
SHA256

41382cfbae7f9f320aeff2643eaac03f9d1a2c7be805d84765e2b5d1390add6c
SHA512

e0b3f8cd8c236aa1c41a06384e79afc918f2fde4db6cac877058a375a2fb91a1f0ff3f4fbe5f657ae63e96d6a7218a0a2704763d2a2914b969d40f99abe43a6d
SSDEEP

24576:7C2efPHw24tP1TmKGqYT1cvigpOwdGfXGh2L73fMOpJC:7ifPqEDgpOwpOpJ

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3036	972.exe
2760	rinst.exe
2904	NyxLauncher.exe
2532	bpk.exe

Loads dropped DLL 18 IoCs

pid	Process
3036	972.exe
3036	972.exe
3036	972.exe
3036	972.exe
2760	rinst.exe
2760	rinst.exe
2760	rinst.exe
2532	bpk.exe
2532	bpk.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3036	972.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	bpk.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\bpkwb.dll	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	2904	WerFault.exe	31

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2532	bpk.exe
2532	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2904	NyxLauncher.exe
2532	bpk.exe
2904	NyxLauncher.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe
2532	bpk.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3036	2440	248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe	29
PID 2440 wrote to memory of 3036	2440	248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe	29
PID 2440 wrote to memory of 3036	2440	248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe	29
PID 2440 wrote to memory of 3036	2440	248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2760	3036	972.exe	30
PID 3036 wrote to memory of 2760	3036	972.exe	30
PID 3036 wrote to memory of 2760	3036	972.exe	30
PID 3036 wrote to memory of 2760	3036	972.exe	30
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2904	2760	rinst.exe	31
PID 2760 wrote to memory of 2532	2760	rinst.exe	32
PID 2760 wrote to memory of 2532	2760	rinst.exe	32
PID 2760 wrote to memory of 2532	2760	rinst.exe	32
PID 2760 wrote to memory of 2532	2760	rinst.exe	32
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33
PID 2904 wrote to memory of 3020	2904	NyxLauncher.exe	33

C:\Users\Admin\AppData\Local\Temp\248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\248ade85fbaff90a6873f850ec336032_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\972.exe
  C:\Users\Admin\AppData\Local\Temp\972.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\NyxLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NyxLauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 372
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3020
  - - C:\Windows\SysWOW64\bpk.exe
      C:\Windows\system32\bpk.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\972.exe

Filesize
757KB

MD5
a75cc077e7e07571fbb10a34401c210f

SHA1
9c14b343e7d469dcdd8f061616ef26244baa8c6c

SHA256
f85c312745e759530b364e2e6686dff2326fd9029d8c30f9d72cca5e3a693692

SHA512
75c90605df21ac12f69b1ae4adb19bd41c080dbe4d9749d5e6b2755094d0e875be86f3ac92c77e3926ebf3a9903aaf2c62ccba0102e4e01698eae20690634d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NyxLauncher.exe

Filesize
1.1MB

MD5
82d58d4a4f4d5827cf75c0183c635eff

SHA1
505fbc2f9239f58bf447bd7227a0145fed05803b

SHA256
d342f5fcd2643cf976e756048526c0c4283341ace68b81239090b7aa89eff5f8

SHA512
43780aee61588d2e4222515dfb135e9eb11328ebd3f61a3584118a634a825e1da5837acf0bc3329aa53f111ff1fcec0b00daf12279a9339b46e34947d521268a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
428KB

MD5
88204635d5dc9039f9e7bcd3452cd59c

SHA1
3580038aa924a68fde4b32687493ba5d8fe603c0

SHA256
a69b70f2a3d70c59ddad857c83760512687c14a201154e04a93e7f38b4daa9f0

SHA512
3e6d60050b12e3de52045f03cbb0549c2e55742f9667ff9e947e81cc9b0bab6f08344329e97eef1b1eb58d720b500cb294a06bfd8230ad0698260a7dc1eea1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
24KB

MD5
5c743c2913fe95c70dd87979381157b3

SHA1
83ea5272da702a4977ce4e37a7e10b0f5ace1f4c

SHA256
995da7c310b8166bb54a4cc6ef3875bb2b7e86e37f345d0183486341d97c04df

SHA512
1cbdbc4c0f51b176124d8b2f05de24818249dc624a88d837bbc7149e0f9008fb1e09c18ff9a5df4eb29f9d709c365b7a0d1d6285f0995568705720600753e86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

Filesize
40KB

MD5
b73031cfe54eda12d4eb65b6e564e62b

SHA1
2d729bca13d51bbdf747f8a8e99020ce22df232b

SHA256
e3bd613910d7eb8ddcfd077f51815536468073375da83424f5237062742f172d

SHA512
bff6d7ef38b23c2445ba998c08088111e7cdc3737ba5a27ff8c828f1eea0e47e72147dedd4ff9248327410101dd53b2091b7f327408e2949cb0363f37ef49116

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
17a1d132f4629112c80f5b3e5b12e592

SHA1
0b8ff1a78a932def6a1607f86f543e24b931571e

SHA256
17251f8d5c36f7d6bc3aaf6d811d0df693e80d98daf1de3287f57a505d072ef6

SHA512
f2dd59b5df3f4c92801fc852045f38c609b69965c84cba2ac65660bb19e4c713a2bd85939b6c9e6a838fd9e0fab7d145fba4dbe9f9d48d7c2ae7596af32fed7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
93cfcb5539a13d35d45cdf4c61205553

SHA1
497f049073f522afdf1a7175cfd52153d48fd1e3

SHA256
b4e4f5ea97b412ac006eab3a918aa986038016915ed803edf0822f848b918892

SHA512
87b370c9a3e3878b94c036605cef6c064d0558136c480c0e20b56d881684eee3e77b69c1f146c9af0e1c4fb108996234d5a1498250ae24e84450f44f5fa31b5a

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
428KB

MD5
1112e89859a0f2b052d5eb1626e25664

SHA1
7864b86a7e0ac3fc28e898d06eefc829e8d3be02

SHA256
92ff08bfffa729b69d6e4e128ee2fa03a1c1f367b168213e907bd3f70d64cb61

SHA512
c45f365ade9829f07605e686d3998e24f39c7b73b97639412191d4fc0fda3bfa1a087669a9a8ba1eb859ff8135c80df730e4709594201cb531b2bc08ececcb9e

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
24KB

MD5
7719e3244553dce7b70a9d1083e291dc

SHA1
d7147a052b19bb08356ba6dea5cc0e6486a0121d

SHA256
6c48b4fe62614ad35aab89b534310024770fbcaa669d50a462f4973feeee926f

SHA512
5ea1aad723e1043028136c943899e5a33e4b58b119c927fb001891facae656277969ec31cd7035680eb5d97e401c22577a082c2cf728e9142a3f0c62d1d99beb

Download Submit
C:\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
21d4e01f38b5efd64ad6816fa0b44677

SHA1
5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

SHA256
3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

SHA512
77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
d3e9b853d1f860f53cbecaf21585462c

SHA1
4d85f0bc639afb1e8f7df2db9f73ec622e596743

SHA256
7530d83096a566135b63304ff0b4de968353399ce5ad8d0900b26cbe1757f1e6

SHA512
4b0352f4f858e71b2a0e31ed2df3cfa17f85c31f2b816c16a262799fe56f2c5d030ae4874d100215611670cf337dcc33e03fdf0aafc91a9be2eb85a2827d0aaa

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
memory/2440-18-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-7-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-9-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-0-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp

Filesize
4KB

Download
memory/2760-42-0x00000000022F0000-0x0000000002408000-memory.dmp

Filesize
1.1MB

Download
memory/2904-81-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3036-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads