00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243

Analysis

max time kernel
172s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe
Size

1.0MB
MD5

1742b7dfca7d2d1d3f160f39d8e58524
SHA1

474192523d4c547f1f2f18092c92034c195360ea
SHA256

00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243
SHA512

85729a97e3cce1e88a86e5df3a92e85b54fbb761dedb8ec1c79d5a7fd2b39e33311203e941c7877465a2f96b5703e014bd778d15ba1a379695302c33172e2dd0
SSDEEP

24576:mw3dpJlpvCPe9Mgr6fL6BoIlmXh7tXj/RiSK9:mCD1qgr6WiIgX9R9HC

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5092	rinst.exe
4276	Songs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe

Loads dropped DLL 4 IoCs

pid	Process
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4804	00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Songs = "C:\\Windows\\SysWOW64\\Songs.exe"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Songs.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin"	Songs.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\temporary.bmp	Songs.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\Songshk.dll	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	Songs.exe
File created	C:\Windows\SysWOW64\th_temp.bmp	Songs.exe
File created	C:\Windows\SysWOW64\Songs.exe	rinst.exe
File created	C:\Windows\SysWOW64\Songswb.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\Songswb.dll"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Songswb.dll"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class"	Songs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource"	Songs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"	Songs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4276	Songs.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe
4276	Songs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 5092	4804	00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe	82
PID 4804 wrote to memory of 5092	4804	00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe	82
PID 4804 wrote to memory of 5092	4804	00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe	82
PID 5092 wrote to memory of 4276	5092	rinst.exe	84
PID 5092 wrote to memory of 4276	5092	rinst.exe	84
PID 5092 wrote to memory of 4276	5092	rinst.exe	84

C:\Users\Admin\AppData\Local\Temp\00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe
"C:\Users\Admin\AppData\Local\Temp\00cc98ce7f33a796f773a3ba7940099164135fe1d0921bf6507d0a5f46290243.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\Songs.exe
    C:\Windows\system32\Songs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Songs.exe

Filesize
428KB

MD5
c1c7c01a66ce7d9c713ec075dde1130b

SHA1
c9e912e090a8b7cf6024619b260262825c4c7d90

SHA256
a533ca942e0e98f6f2d0fa3a17e0412a26b62fbfd7bb17b488feb7703f48963c

SHA512
63cf112d1608cacbd563a30ae9270e3b9b3b1045d1c44dc93c7275cd0481e2fd79eb66536152b3faa58e74cfd6cf253a47702aac14b94ab4d3483a170a54fe1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Songshk.dll

Filesize
24KB

MD5
2b74036345ed029da6cfeae800a6aef9

SHA1
e531880907002918658db53411b5052a3f0c57ee

SHA256
52bc84712dbdc50e8beb193c2e394eb932fc665abb166ef47392f8dd7b71e97b

SHA512
61ac7ba5c704a342efe69de5156fd13ada6cdd76d2fcafe98bf14745d2dc25cc78384a26fa187f5898dd36a4f2334fc6a39f96adacaf1265d233e30cb5722743

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Songswb.dll

Filesize
40KB

MD5
4f7f492661afe58f96cddf20ddf7f0a2

SHA1
218cab667a4d63156aa234aa3865e1bdcd626976

SHA256
a1038804ac4b778eaa5191a1d70b2635c8a26eb79e3789ffa918d17fd6097ecf

SHA512
23efa18e638e254ab379053c634013fce5815acd61e606495cbffeb1b6a7d84e1a85849520bf4fcd88401b4760cd58932eb64c56a6ecd78e2632d9b33b443ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
7ee949287f6b991d60a207d5026eedb2

SHA1
3cad67b8905a001b6d920853c2ccfb300156509c

SHA256
cc0ecc9f4fee853426709cecc3a85d50c25b83486237f0880c06154ffd28fbbe

SHA512
30d52517ddfc0c9a88b04923a26bbd1e15287515da153e68ac9b2ecf8d8b76d842ef0859558e726d53c55015caf66d99f6b1d6eba283d214531543acf17c3e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
419622c8fd5d93c5a4b5a71d0a691c20

SHA1
d19ad0db4a5a3fb2a747baf64986a28ec43db617

SHA256
ac424713a427e07205484a50f90b93e538b1ac592a87a8b4533ae23d3dba15de

SHA512
bd7085c1de4acd9406e1eefc2866241364ca6754f6e68d07bac25c2f96d0daa0fe80b1524d85e75f393666f5e026a42dc9b01c1ee03262031e59b956b947ec7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
C:\Windows\SysWOW64\Songs.exe

Filesize
428KB

MD5
bae0fb25bcf05a5da7fde8dce759ee0d

SHA1
bc74b07d14a63ce572755c70ceb796136d129e20

SHA256
b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

SHA512
74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

Download Submit
C:\Windows\SysWOW64\Songs.exe

Filesize
428KB

MD5
bae0fb25bcf05a5da7fde8dce759ee0d

SHA1
bc74b07d14a63ce572755c70ceb796136d129e20

SHA256
b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

SHA512
74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

Download Submit
C:\Windows\SysWOW64\Songshk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
C:\Windows\SysWOW64\Songshk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
C:\Windows\SysWOW64\Songshk.dll

Filesize
24KB

MD5
58129986fa29f6dacd99ab45f60bcb3c

SHA1
7f21995794a060fc8629e0d113cf568de14c509e

SHA256
525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

SHA512
62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

Download Submit
C:\Windows\SysWOW64\Songswb.dll

Filesize
40KB

MD5
2e6016325548ab79e2d636640c6ec473

SHA1
586e2b84d46ef00e26c1686033def28e8a9995a5

SHA256
62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

SHA512
1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

Download Submit
C:\Windows\SysWOW64\Songswb.dll

Filesize
40KB

MD5
2e6016325548ab79e2d636640c6ec473

SHA1
586e2b84d46ef00e26c1686033def28e8a9995a5

SHA256
62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

SHA512
1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

Download Submit
C:\Windows\SysWOW64\Songswb.dll

Filesize
40KB

MD5
2e6016325548ab79e2d636640c6ec473

SHA1
586e2b84d46ef00e26c1686033def28e8a9995a5

SHA256
62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

SHA512
1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
996B

MD5
7ee949287f6b991d60a207d5026eedb2

SHA1
3cad67b8905a001b6d920853c2ccfb300156509c

SHA256
cc0ecc9f4fee853426709cecc3a85d50c25b83486237f0880c06154ffd28fbbe

SHA512
30d52517ddfc0c9a88b04923a26bbd1e15287515da153e68ac9b2ecf8d8b76d842ef0859558e726d53c55015caf66d99f6b1d6eba283d214531543acf17c3e92

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
075735520d54b44a8ed679d59eeb8b4b

SHA1
88d5e372c636ccd3b69f5a55972308a4270da0b6

SHA256
8bb6ecc474c6d17a0f0ad03caca2c781dea11ad74c818fc8e81e5d1f669fa8f2

SHA512
90bb22f168b9a1346c7813f0ae3ac8a8bf32db09c8e2e8b1baca33b45b8620bc1e89d7e3a3650ec3ac666d6ca3c6846b4018c0b3e774fd5ec54e1b0f290d2bb0

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
memory/4276-151-0x00000000027F1000-0x00000000027F5000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads