f93f1c2aaf4779058b2bf46ab18e7b829b7980f51f896eaf4a67dc7c206ad5f6

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe
Size

1.8MB
MD5

c00377b6b0d9c85b5ef6aa4f161148bb
SHA1

becc018a9c15cca8145be7528fd07bd52d49260a
SHA256

f93f1c2aaf4779058b2bf46ab18e7b829b7980f51f896eaf4a67dc7c206ad5f6
SHA512

4c487f9eb59d5b7a0db6f676b757b8d4ce16b144b061a748d54f54f5421712d4589fb8c7ce34922736cdb91fd7b6e2dbe3645c8dfa43976be6de53dba2a73878
SSDEEP

49152:+CIt+FvkUSkVs13YROIL/+fGQ6F3XSDYxyFWymzkz:pq+FzSkVfHaGQ6tXSbwrkz

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4012	rinst.exe
1948	bpk.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
2192	c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	bpk.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\mc.dat	rinst.exe
File created	C:\Windows\SysWOW64\bpkwb.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpk.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\bpkwb.dll"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bpk.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	rinst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	bpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\bpkwb.dll"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	bpk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1948	bpk.exe
1948	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2952	OpenWith.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe
1948	bpk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 4012	2192	c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe	92
PID 2192 wrote to memory of 4012	2192	c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe	92
PID 2192 wrote to memory of 4012	2192	c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe	92
PID 4012 wrote to memory of 1948	4012	rinst.exe	97
PID 4012 wrote to memory of 1948	4012	rinst.exe	97
PID 4012 wrote to memory of 1948	4012	rinst.exe	97

C:\Users\Admin\AppData\Local\Temp\c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c00377b6b0d9c85b5ef6aa4f161148bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\bpk.exe
    C:\Windows\system32\bpk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4464,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
424KB

MD5
5ac7c0441c8c0d87b3f8d77be175d0db

SHA1
e8b93a012a04cb7e81dbb664ce17485449994014

SHA256
456a43ed759f12a354dcad49a8d3d906c438c648ba3d00c719e65709c7764f09

SHA512
f94b1434268cba4c99d80d41eccbece84bc28eb8c2973680c8babd6bb7097f96e5bd5190a5d1ea73c613ca3010725f7bcee1dd5b0511827eb196ca8dc9a5cdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
24KB

MD5
23fab0e0b3051cf99ba91c6166dd0e9b

SHA1
6499395e8c962f28d5e4b153b3860491ff9fea78

SHA256
1d3f50ce0b1d4a0ac6ccd72df7fc1686ba4adaf6a01d06134dfe46dee0aa513e

SHA512
693c21c798bf5cd62b52b19c6f6ab57cc2c1a4374bf0d06d9e8a1db3bb750803185269ec8b369b4e39835b332edae84ce2680406e91778d65678c0c29d4767ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll

Filesize
40KB

MD5
1687a4fc6c2cd78d6c53b8b404d55094

SHA1
16a4e9b9d2b7dc8d682727d45e290e73617d68f4

SHA256
a31be0c1aaf84620dd3525aefd5a72cf4602360249d2b9b3022d275a3bc52d47

SHA512
6c4abc31bf9f9025d321394978caf6d1b2b48af0e9a7756664a221619e2e29b965554de0df69026eb06a76ac27edbc20723993c3f867ed6b7932fe3bf99fa885

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
ff6aec2f376fbd07e9fc332b58274bca

SHA1
5bf6258fc084a2065d5d287b50a72abf8a510dd2

SHA256
03cf09c23322291d9caab84022ecf21f55230b8c0690b3e6070058bebe9f230b

SHA512
1797e7f2ac9a7d0c36a17f4644b8a6c345a9f0963ad4c09830720038fa4a1d21c0f00c1abd4ed3160a20576ffb72bdcb8ab3a24dfbd272f6efb564114683a380

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat

Filesize
30B

MD5
726259f004ad6c0d0490661cb3b5590a

SHA1
90622e1d93570bc7c9725435729d351587bf552d

SHA256
698906992c310cfb176f09e61610b2bfbc39fcba0e9875fa454788c7ec764c97

SHA512
e864a584cb64ecca84eb2ac0e2cbc30ccfaf543866975b05b79d0a435fcc1794707c10621dcb80fa905e5364be63067b36a5052076eaba3be428f4439b91f014

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
d53c7d15098117bf35eb0bbb598cdce2

SHA1
1521bf1dea4dc6e7b46b1d344d556225f3fe0c6b

SHA256
ea78b57a2224352b6adea36c3522f55d4d1fe392b89b0dd39f0b1800aa8233af

SHA512
9f7af5affa14249460146466832c118a63819b3e7dedad254d022f702ba019ef5cc1ce05a30667f9cb070eafa51ee19145e134ce0b274f372dfc16650fb90ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wjxtdAutoPro.rar

Filesize
1.6MB

MD5
52d505189fc9cbece6b00b36781dff6c

SHA1
0f439b82c5a2e886b04beec26f58541df0619dd1

SHA256
0959ff71b2b2bf12b0379531599d5ba070a923099533a72fc1034cfe59856c95

SHA512
c82124cdf30215949896f3eab95d6f7601850f7247c94f00acc12456d7d9b8de39a83098d2125e939302bca25bdf8b2799d415eb440899791cc5ae337c5856b7

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
424KB

MD5
994ffae187f4e567c6efee378af66ad0

SHA1
0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

SHA256
f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

SHA512
bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
24KB

MD5
9ac9028338d1b353a7cacb563bb91df7

SHA1
a20c5dee8f05c91686324cec2d5b092bafe58339

SHA256
93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

SHA512
ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

Download Submit
C:\Windows\SysWOW64\bpkwb.dll

Filesize
40KB

MD5
21d4e01f38b5efd64ad6816fa0b44677

SHA1
5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

SHA256
3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

SHA512
77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

Download Submit
C:\Windows\SysWOW64\mc.dat

Filesize
30B

MD5
4428a3048e142e7a72cdcf7ab3b6132e

SHA1
749cd5926b84a88f418cdb01fe51a38b92cd3ff9

SHA256
b6c25055ee4c3902d93fc477520905282446ad0482fbbcd704de120141ce84d2

SHA512
2ff6e482ccb8ca9bfd62ffca9d0b0acfa6e22e6f2f8fc2e2748ea127cc5c3e79c448d207176a249765bcc1b17be9702242a8603cef8829fccb486422f7bfa234

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
ef7d5819d56fb51515614caf7684295a

SHA1
f510cee06e60e7feff19e6d7bf0cb843c319a9db

SHA256
cbee09a630dd1ad22c2e42ce9220310665769509c77db9d2b9b1a6299aae29c1

SHA512
5f19881bc95e8c6dc7e7c9a8ee79e6e31b93c6559f9f43f6a16c161f6851e3311671e10bc792292a89dff3f9183167adb07d2d825a1c89961eace403cbda510d

Download Submit
memory/2192-52-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads