b8ff1dd80f370b137922a9dd2d8b04e16fd4f8681458f92c566e65e2e80724ad

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 08:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HashTab_v6.0.0.34_Setup.exe
Size

1.1MB
MD5

0a401aec90a0b4f4da73b4131f24eda1
SHA1

e0ab0528ab4daa470ec2e1d6a723cd6a308306f7
SHA256

b8ff1dd80f370b137922a9dd2d8b04e16fd4f8681458f92c566e65e2e80724ad
SHA512

7d28c09e5536d2cec1e7f2b57817dc7061fdb82bbc0352515154e18fd20caf7bbfa79104f388e4f3bc20a7c0c5732fd9f5d51708805414300d558b3f6cd02365
SSDEEP

24576:r7LyKHCmlCRWCjgzh5gHE9WIrAp8YOyS1Dm2CyE8rHNQOo:DyKHRERWCszhqEw5qYOygrf1o

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1744	HashTab_v6.0.0.34_Setup.exe
1744	HashTab_v6.0.0.34_Setup.exe
1744	HashTab_v6.0.0.34_Setup.exe
2944	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\HashTab Shell Extension\HashTab32-6.0.0.34.dll	HashTab_v6.0.0.34_Setup.exe
File opened for modification	C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll	HashTab_v6.0.0.34_Setup.exe
File created	C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll	HashTab_v6.0.0.34_Setup.exe
File created	C:\Program Files\HashTab Shell Extension\uninst.exe	HashTab_v6.0.0.34_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000b89dca002ec650c9b5372731f8d55818ec1fcd3a9b0bf278bdd5973dd4eb73bc000000000e80000000020000200000009a4f1d727926850ee779484b631ab8722de557c7013e4793978d3c0f7f97eeac900000003f38c3b5d7d7777c28b5b8bde5322298b790c65b6e84036fb913f5b4a57ef7f260419fd2acfdccc252d346231ef6044dbc63fea3f4000c7963cc0928b3806409988a37cbc55c513df90e5de84f20e746d4761f4e441623d6066c0a4ae074b91977444900f503ced0ce9db45801259d9416e4cec943f79d6b37650ca624fc487a5dd0ca6f0921d932d62fc245455bcef040000000eecb21009a4448653cc402ba242e6f31c1db138a6e47eb7bbcd419f0f897294f5c8a324df4ceda12c6e70cc3e3d39bcc66301b17f8846a03fd8c56efb018594f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\implbits.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000568eb6ffdfe2ab6e0f24b29f918976324f619f75c489475547df17cc0870e45d000000000e8000000002000020000000eded8b7586435a20b9ced61ee2b30dcfe7e48c68f26d39d4d58e08da17d3c1a420000000207b955906545c58b33281d2e9d290a9435c974f62704261ee9c98f7f4eabd1740000000eb215b0e55bb0b28b954581d3230a5c2026b7bed50ddac14456a1267cd001e970fcac0e0905bccba8d8fff2aa4a9a1ca036ae34a3e3c879d70dffb35ebf69836	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421318033"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\implbits.com\Total = "18"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30649a1020a1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\implbits.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{378A1A41-0D13-11EF-852B-6265250A2D3F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\implbits.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\implbits.com\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\implbits.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\ = "IHashPage"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib\Version = "1.0"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ = "IHasher"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\Programmable	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\ = "ReportProgress Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\0\win64\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\0\win32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab32-6.0.0.34.dll"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\ = "Hasher Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\VersionIndependentProgID\ = "HashTab.DropTargetImpl"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ThreadingModel = "Apartment"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl.1\ = "DropTargetImpl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\VersionIndependentProgID	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab32-6.0.0.34.dll"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\Programmable	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl.1\CLSID\ = "{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ThreadingModel = "Apartment"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\VersionIndependentProgID\ = "HashTab.HashPage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\ = "DropTargetImpl Class"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib\Version = "1.0"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\Programmable	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\ = "HashPage Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\Programmable	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage.1\CLSID	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\ = "IHashMenu"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl.1\ = "DropTargetImpl Class"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\FLAGS	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ = "IHasher"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\CLSID	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\ = "HashPage Class"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\CurVer\ = "HashTab.HashPage.1"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
900	iexplore.exe
900	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 2944	1744	HashTab_v6.0.0.34_Setup.exe	28
PID 1744 wrote to memory of 900	1744	HashTab_v6.0.0.34_Setup.exe	30
PID 1744 wrote to memory of 900	1744	HashTab_v6.0.0.34_Setup.exe	30
PID 1744 wrote to memory of 900	1744	HashTab_v6.0.0.34_Setup.exe	30
PID 1744 wrote to memory of 900	1744	HashTab_v6.0.0.34_Setup.exe	30
PID 900 wrote to memory of 2100	900	iexplore.exe	32
PID 900 wrote to memory of 2100	900	iexplore.exe	32
PID 900 wrote to memory of 2100	900	iexplore.exe	32
PID 900 wrote to memory of 2100	900	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\HashTab_v6.0.0.34_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\HashTab_v6.0.0.34_Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:2944
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.implbits.com/products/hashtab/start
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll

Filesize
1.3MB

MD5
6e6559ac4c7abf6f7d60165e1c2f9b65

SHA1
2d0faf4d27680c9c971f8ffbf2b0152b8fb9c4c2

SHA256
33110cfbb450b0a06a9a70449e674774823e730ed37dda83a25dd0dbc81f8b21

SHA512
22eff4290feae094d14559cf150bc3d6cc5203f79554d8bee8bad7a7b509a5cdd953e45eb897dabffa1377b7636e03cdd83ec6de903970b65dce1f7475af4dca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ade7803028bdee5ddcc5abefde570f6b

SHA1
136c24517b307dfe990db5058a09ac86136db2ff

SHA256
30a4b43ee663b02897938e356e88c9fe71704b970f3fe456dfdc59d3de5b9aed

SHA512
b7d31f9ca36db48d2356ce702ed93956a704777755b7165d8ec8ab2fbc499287f12e2394bd37e8b0c0fea5490827cc2d69ccab1d565de62b02d0d08eded1a03f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c910e1a91fc0ccc8154407f8ca78a24

SHA1
604944045c772ed577f463f9122ae12660250051

SHA256
0c14395e49dd9ef56b3432cf764742946b43122f31c15a983b02f507de2b7f69

SHA512
0b6b0d74cceed7afdaca893619fcc478faf189b4dd3c2c375ddf06d5b22150430e984b14c4d1112ff34fb426b18b4455bdb235991a07eb0707f5df71f9185966

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e92f80c3944573e07ab9bebb924b8cf6

SHA1
367e969c5c4ec9da9cbac35d9a6c79e4838e0ae6

SHA256
fcb6450a66a39554a1c0b92a35f081815de20a7dfdfad14ace5f8ee1aae74a5a

SHA512
bc5076426425c9e53b59dea3438c6815d13ba2b574e607f1a8acdb3e03708b91d23bdb136ed96446c577ee806d6085162634d838726e1e85da8be3c5f329ac89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3471fed2e1287720739a4e50a2b6c69

SHA1
3535060eaf2f734908c3d128d652d97e2fafdb7f

SHA256
ebf89cf4f1fa6c6e2564be450d499e839714f3d01939d9a99b0c6a0bf314346c

SHA512
75ba7b7f01c6254af3de10f9b78797302c973fea3f895368f5f411b20f23823521f850e839f01b78a7975537aed0cf6125e9c7b0de2c5c693f0a330730ec8f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe74e89c99aeb94d5a8bc11088062288

SHA1
365426c1b015f871c0a8a3f4242ffe9f53531daa

SHA256
96693d5d2e52ad5802fbc8cc2352366753815036ccdecef59ee439cbea17e35d

SHA512
e3ad500133152880e74ecb1fcc3283749b7b360b28c54f11b757eab19075392bcb504e18ce73dc9b4dfdf6906102e821086d1ad674545601510ac7eeff443af6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffb6b8ee0eb657470709db0442028438

SHA1
6f4a53f346387aaf789122ee185df3ec81110365

SHA256
0f386900aa64152d359856ae999cbbf421c5f7892875d8275819c06e04310d96

SHA512
2d5e733047d2ec0cdc834d1135ba24fa367291b6f51932828cd90c8c5f0e3cabd712b7c6071ef438bc60a27bd8ed5f522e5d8f3ce3898e0d77d799bbe30568df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
661efc6b5d01cb6f36e8d7f1038b936f

SHA1
28b6447307468baf06990d33876acaee1767153f

SHA256
251451a624e1d5b6eb5cd3b54d5b561027bdbeda540f8da4fb927d2fe38b92f9

SHA512
ca32d3cc92c98c84dfcfb12dd6dc08083c20dc46e44978a00e14ec3920cc1ae6a2fd78d98b57e79a1dfbd1e42155e5080acecf26527df254cdbead3144ef47c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
700e595ced798541280b83c5a9be37fa

SHA1
db8d9e74692618ef2dd96980861b2f807944ad91

SHA256
6656ac614e5e0a78a29f5108bd3e656555efeb7e8d091d3733124901287bcf59

SHA512
7a6511fd781bb4b02b228a91e6f0abd5b3c78496f95eb7f23333fa2cb10d6a7a3c07dc08a4b3e21d052e2e0f6468896702e7fb54e9f919a86d47dfd9b6c39d09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6169ba5c9bb30814d20093feaeb72ef8

SHA1
9b53581e542312a1380f65660d8e4e01d33d35cf

SHA256
b2fe06a8ccd29e1abefadc2b9a59fadf996a792a9c790ce0000bd2684b167e8e

SHA512
180568caea2e3c794066ff9bf2afc905d070d0d1a264242d21186c143af0e297b641ac15e9662eee09767d52429141f6e6937b4b3ef495396ebe4fd0f358343a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f357e15bd460be256239d9dd7470576f

SHA1
3a89bde03bd79cfb29f924e104412ff9084fc218

SHA256
baaccc7a8a6c45f155fe23971079b8bc958d5817eb2f07880e53e98c0f14d58b

SHA512
25e2e014beb8ebbf9d76448694e7c5b64f5cfea0f5d1b9ec0c4c79b33afa94c94cebb9e8d5e7d45d0befade80d927bf83c30d55b5b020570eee09669c299675d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bba593fd79060f7ae8133c852cc42abf

SHA1
af05c1506ce6123d2467d76d169cdfbbb2f8d839

SHA256
b893ede027121e27a19162a646d1269c7004e645399eff96dc8ff6bab04138e5

SHA512
18cb0ea07a198d232d222a384d09cf895ab2b1df3e9fe0e74d28c4cab49d66e40ba7247de293184b185d4181c6c7a2bceafcd73bde2e378b44983ec72a8bf4da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
658f39de9404db18dccd4b07d6a52804

SHA1
0f1c2df24f595cfa385057f61bae18fa2a07192e

SHA256
461e2b5a657398e9882eeda07b6705926cbff318573e93a259015add28e305db

SHA512
2e61cd46f731d382807781765b10aa5e6ee4c9501bff9bac4b721caccb64f5621c2d5ae41786e1356b11bd03ba830be71f90afa67c746a9097b298657617e607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b30ac70f92006f36fe5a52fa1e36d343

SHA1
87410a47c8c732d1ef73ff29dfb1db21a70dd7cc

SHA256
b796e11a2e764d3b9e440ed77528e05a2ca09f3e63671aaa9e6f19faf02786ad

SHA512
73bf5a15c237d033bfeaa6c2c59d60e7086eb631ae5ec26faed158839b507d75798488a0872be46585d943828020272c163a13228ddc8d5a1db6bf552609a982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb72336e2d50b7a58b46c6fca1900c69

SHA1
7b328a0171da56f8ff59cd3ad9abe8275f8ed14c

SHA256
7e4230442695bfe805fb2fa82cf5dd3bceb6509f90d46f84433980cf0ec247be

SHA512
dd5fbf5f780bbf6b78102137402b714a32e2b8847c7bc9a6624fa8d79757fab22af1419363493d6e2cb44311fa3405133fa6171f18029cdf3db7f146ceaa8544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5516dc450802fd2ecb68bf4ce0650ba4

SHA1
a150d337a60097d0be5859ed99632e13ae83ae0d

SHA256
0af14234a846587c7a6746ca5e6717fbf0e55db86f2991246b812ea65804a46e

SHA512
bd6b7ac7b9637c2addf98ee320dd947b9e71fcb4c52c7d92c97f3e25290952d964db9c82babed97840631ae4441856b0024a6609e20b2b54b66157be2b20e68e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80dd6f258b4d7e3fa0d564feb7f0231c

SHA1
53bde5064d2351ba714f73258a9da4a3aeff0149

SHA256
c02daa3785fd1786ccbe7476c40ce3b8d8042b093968427e60d0c6e72e70c305

SHA512
d1e883983f1ac86defe549d7197852672e95cbb45ca462cbfd89958cb171587c47df986b1c94d3f865f3d03131cd86cfbc7c6298500ff3cd0baaf29f4b0372db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9eca36462f1fa12a57942b7059625a66

SHA1
a59af4e35b7e3b15347c9b716365d184b18eccd7

SHA256
03c601ebb5fe04e1345911e9927c295af746c2c403c5aeb8cdc10b87c170c9ee

SHA512
841650d315d3f80df2d5b4c0feb1d4af6f8d890953fdb16f3abe0917b0da3776206f3522db03600a23330ec4e6063339209ae413a217c0d25e49aa7c9ae41864

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31bf1d6c14c8019ab83f9f163be455b1

SHA1
1919ed3141cbf68eacedf523273c1228fadcd0bc

SHA256
83336c90693f8aba999f409087ed000e6a798d6e4afa94f8223d00c2743ba53c

SHA512
df320409e9748e95af3aadd9f01f316b31c722d317bb59efd456e7892ff46b1ea4926608f7987a7855e560ca021d485e1a701469ac59c3d328f3367d974e9d33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19b2325f8bd36637702d2e44a8596f78

SHA1
af397adbf9ced01e986f86afcf981417942c3b00

SHA256
3a677a15f2342a4743b4fbadae819d59020d24132487034707a429885b2a7664

SHA512
98cfb2b2dcaccd930df2ebd085caebf9caa02be02484e7ac6fb24e6be9b2b3e2d4de792acb17622222da61afb7a25603dd375eada68cf9ec6e93dac88d3d0fc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0fe762bec0b129f57ee28ec0d19c422

SHA1
c96f94cca5006de5853ebd4aa5385cdfe6d5dcb5

SHA256
2e36c455b7652db2ae9cc74b8521b7f50a1d15c7b80f478a34d843cf1738f065

SHA512
e206ba778ef41380b4a4d0952e9837688a300f2b2c6682ac5e1e35664cec5dc9ac7469255b999b8115fcebf60b1773823a83e7992c88cdd9fbdeda3806ffa961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8c594432cf05ef8817e070f5384fb43

SHA1
028c3d2591e4fa85104143bcbf9fb1c26c9789d1

SHA256
7590e7f0db92c55dd6eae9dc62b59d9d02b2106ddea2ecf25a123042a547f200

SHA512
94a463c5625f2b968fb396e3d69b934255e6321e5bf27302e39c1e08adb677789948dc851e16d92de7c939c9fd3fdc98371a578bbf95e80e36104a5e01e442e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43464175f81a26fa28193dad724e07a3

SHA1
d5bf75358ea81f2463acc635f4f50cab817d893b

SHA256
2a119479e30d5f0cfde34ab4cee4eda708e6afda6a3f53d528dafffe9b244f4e

SHA512
d93a708075f0dd9aac3aa5cf06634c75957be11213189bb6c74b58d23943686b9abf320b164bbeac58b2541fba2d755c988dcf7f3bbdb824f63c535235046dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9a860c201e0b3cda84a742b5c8303b33

SHA1
e18379ed4ddcd60401dea0ee0d026d6abdffe141

SHA256
65b6047d9ca0dbb01b883d91d49202db1f77570e03ec4db16db412abdbf7ff06

SHA512
6b427141059c07af2affa6a3a94949d50f87610b88cadc557e64927211adc05b9117c0b6ba903d47a5e8a359d26f12004430e9f24fcdfe8999a711ed848208b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\HNUXBUCX\implbits[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
718B

MD5
2f2aee2f0a64ace19ab67fdfa9b1a79b

SHA1
21175b1477e4007d1b6380942fd3557e51fd55ba

SHA256
366d0d9be0a47250c7af24a56bb988dff5fc9d1a2b27d7c6bb6e109ee050c3e1

SHA512
2194840461f9c3298ca37c3149498e128ac545a1b8724203cf3c962d2b385b9e1a4500e444f6f304e9425a1a90d9e8f3e7dc44c9eab1ada6159111647b24d458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\cropped-favicon-32x32[1].png

Filesize
526B

MD5
521b0c2af39df9b2e64449478f825468

SHA1
5f2f28006f8b14ec35e05483176828d0612b8aa9

SHA256
98553fc350bca446f4403f270febfe8fbfd3e78411cad9697fb06e29b4ef4f34

SHA512
444f0aae8b672cc0ea7f2092c8a3500df1b6434fa5f8648da0fedc096c3b01813e8e7943860ae7ceb1349a68f2284ec7451a123221ac7b317d3c3c1a2b3e9939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8892.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8951.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar88A4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8965.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2702.tmp\ioSpecial.ini

Filesize
545B

MD5
2aefebb440227734b177d598715c524d

SHA1
0b963d251e52dbc12a6b5f94fd93f6959c74b60d

SHA256
8f6c8274071a7820d9f9ede24e776faacea37bef7663fe92e13acd72ee76ab2b

SHA512
a5a57f8b894053097995f2bc33b879462f527c152487a8a539588c3fe9ae82440d3a53172844009be3244cc05068f79f156ac793bfa051d5a718040f491eccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2702.tmp\ioSpecial.ini

Filesize
545B

MD5
6a41c4a6935d46c14c8dee721c507f98

SHA1
a22bb699aa3c403f560fb7ce6cfb0a4bb74507c3

SHA256
d6811c90cd442db777c391b3b58d7280f39cfd8dbab637f6a2100a8ac6370d7b

SHA512
180cf5a34f0b36a3f59f4541b9d4a2b86c5c77c17c29b8505cf6234d14a6a750e0f52f963ea0a474389ccbd1baab9152bbadf06ee68971ee2f0378028ab3d120

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2702.tmp\ioSpecial.ini

Filesize
683B

MD5
74f1cda5c10a058c4f278b1c6ff2a1a8

SHA1
3995145cffe9fa87fee256af84fda5380a0168ce

SHA256
80eaf589787e0a12c378327b605ac419c0569cac92f80d0b7372ccbdf53af900

SHA512
9514d1a60cd678a865367fc9cc78b9f42ac79c5c24872c5c2c39d016a3a31139f016fb143997c195e3d2de2f1f8abb5ff7a27b20e29651a8bed549d3ea6b5229

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2702.tmp\ioSpecial.ini

Filesize
722B

MD5
c01ac83d78a70e3cf49ea41a58608e98

SHA1
dc7072bea2c3765292e32db07308553f3c8ba9fc

SHA256
9b8de050c8246067b793ce85a1c32dfb1ecd3a44d2eafa842a89395b36d44e8b

SHA512
fb211fad05d234c0f9ca13ce95c028cb311347f3bec172d8b164edac48ed27ccf57712f1a2f2562884d6b6ab9127519042a8acb515f000ad096aabf6e13b2df7

Download Submit
\Program Files\HashTab Shell Extension\HashTab32-6.0.0.34.dll

Filesize
1.2MB

MD5
5ebabc79ba313e50e024cc9099c90152

SHA1
d78b4453fe5226a2a129beba59aa4ff724e76092

SHA256
b6c79d19cf48580ede405e33b7975773ce5d23b9be5a6cabdb17ddb908c61735

SHA512
ed5fd6d98a1af599132b0cf1700ed77532b640ce452239b1e4044d9ad97530ee67b6010b6fb943ded03328db47e2f7fdc2b24f2136b03026475e432d5cefbfc5

Download Submit
\Users\Admin\AppData\Local\Temp\nst2702.tmp\InstallOptions.dll

Filesize
14KB

MD5
3e277798b9d8f48806fbb5ebfd4990db

SHA1
d1ab343c5792bc99599ec7acba506e8ba7e05969

SHA256
fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c

SHA512
84c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92

Download Submit
\Users\Admin\AppData\Local\Temp\nst2702.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads