b8ff1dd80f370b137922a9dd2d8b04e16fd4f8681458f92c566e65e2e80724ad

Analysis

max time kernel
139s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HashTab_v6.0.0.34_Setup.exe
Size

1.1MB
MD5

0a401aec90a0b4f4da73b4131f24eda1
SHA1

e0ab0528ab4daa470ec2e1d6a723cd6a308306f7
SHA256

b8ff1dd80f370b137922a9dd2d8b04e16fd4f8681458f92c566e65e2e80724ad
SHA512

7d28c09e5536d2cec1e7f2b57817dc7061fdb82bbc0352515154e18fd20caf7bbfa79104f388e4f3bc20a7c0c5732fd9f5d51708805414300d558b3f6cd02365
SSDEEP

24576:r7LyKHCmlCRWCjgzh5gHE9WIrAp8YOyS1Dm2CyE8rHNQOo:DyKHRERWCszhqEw5qYOygrf1o

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
112	HashTab_v6.0.0.34_Setup.exe
112	HashTab_v6.0.0.34_Setup.exe
112	HashTab_v6.0.0.34_Setup.exe
112	HashTab_v6.0.0.34_Setup.exe
1056	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\HashTab Shell Extension\HashTab32-6.0.0.34.dll	HashTab_v6.0.0.34_Setup.exe
File opened for modification	C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll	HashTab_v6.0.0.34_Setup.exe
File created	C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll	HashTab_v6.0.0.34_Setup.exe
File created	C:\Program Files\HashTab Shell Extension\uninst.exe	HashTab_v6.0.0.34_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\HashTab.DLL\AppID = "{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\AppID = "{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\Version	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\CLSID\ = "{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\0\win64\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\ = "HashPage Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\CurVer\ = "HashTab.DropTargetImpl.1"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32\ThreadingModel = "Apartment"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\ = "HashPage Class"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage\CurVer	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl.1\CLSID	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab32-6.0.0.34.dll"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\HashTab	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\ = "DropTargetImpl Class"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\FLAGS	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\HELPDIR\ = "C:\\Program Files\\HashTab Shell Extension"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\ProgID	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab64-6.0.0.34.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib\Version = "1.0"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}\ = "HashTab"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl\CLSID	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77E80876-D470-4EC2-9EA6-FE8CD145A475}\InprocServer32\ = "C:\\Program Files\\HashTab Shell Extension\\HashTab32-6.0.0.34.dll"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\AppID = "{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FD14B7C-A581-4F66-84C1-67C4CE14BBCA}\Version\ = "1.0"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\FLAGS\ = "0"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\ = "IDropTargetImpl"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\VersionIndependentProgID\ = "HashTab.HashPage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.DropTargetImpl.1	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\TypeLib	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\HashTab.DLL\AppID = "{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\ = "HashTab 1.0 Type Library"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3D7DD5D-510B-477C-9521-2BCBCC91762C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA10CE2A-5097-4D39-96A8-1E64ADFA9096}\ProxyStubClsid32	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\AppID = "{0A3C1C8E-5829-4CFD-B1CC-475DB010B883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}\1.0\HELPDIR	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FCF1002-1131-4C88-B982-1B5055C7C945}\TypeLib\ = "{1F9B20F0-0AA5-4EEB-B5ED-FADA0C41D073}"	HashTab_v6.0.0.34_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7435935-AAEF-4CE2-AD7C-66D46C192A0F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB9BCA6C-181C-44CC-ACD2-161FF3C6E592}\TypeLib\Version = "1.0"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BC2DEA9-DCDB-4961-8BDB-107767D135A9}\TypeLib\Version = "1.0"	HashTab_v6.0.0.34_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A56567E-A333-4843-B6E1-C3A262E41D8C}\ = "HashPage Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HashTab.HashPage.1	HashTab_v6.0.0.34_Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1056	112	HashTab_v6.0.0.34_Setup.exe	94
PID 112 wrote to memory of 1056	112	HashTab_v6.0.0.34_Setup.exe	94
PID 112 wrote to memory of 4568	112	HashTab_v6.0.0.34_Setup.exe	101
PID 112 wrote to memory of 4568	112	HashTab_v6.0.0.34_Setup.exe	101
PID 112 wrote to memory of 4764	112	HashTab_v6.0.0.34_Setup.exe	102
PID 112 wrote to memory of 4764	112	HashTab_v6.0.0.34_Setup.exe	102

C:\Users\Admin\AppData\Local\Temp\HashTab_v6.0.0.34_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\HashTab_v6.0.0.34_Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll"
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.implbits.com/products/hashtab/start
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.implbits.com/products/hashtab/start
  2⤵
  PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3936 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5052 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5064 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5788 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5548 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5900 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5684 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5456 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HashTab Shell Extension\HashTab32-6.0.0.34.dll

Filesize
1.2MB

MD5
5ebabc79ba313e50e024cc9099c90152

SHA1
d78b4453fe5226a2a129beba59aa4ff724e76092

SHA256
b6c79d19cf48580ede405e33b7975773ce5d23b9be5a6cabdb17ddb908c61735

SHA512
ed5fd6d98a1af599132b0cf1700ed77532b640ce452239b1e4044d9ad97530ee67b6010b6fb943ded03328db47e2f7fdc2b24f2136b03026475e432d5cefbfc5

Download Submit
C:\Program Files\HashTab Shell Extension\HashTab64-6.0.0.34.dll

Filesize
1.3MB

MD5
6e6559ac4c7abf6f7d60165e1c2f9b65

SHA1
2d0faf4d27680c9c971f8ffbf2b0152b8fb9c4c2

SHA256
33110cfbb450b0a06a9a70449e674774823e730ed37dda83a25dd0dbc81f8b21

SHA512
22eff4290feae094d14559cf150bc3d6cc5203f79554d8bee8bad7a7b509a5cdd953e45eb897dabffa1377b7636e03cdd83ec6de903970b65dce1f7475af4dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA8B.tmp\InstallOptions.dll

Filesize
14KB

MD5
3e277798b9d8f48806fbb5ebfd4990db

SHA1
d1ab343c5792bc99599ec7acba506e8ba7e05969

SHA256
fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c

SHA512
84c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA8B.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA8B.tmp\ioSpecial.ini

Filesize
544B

MD5
78ef1f679318817981738e015d37c117

SHA1
ea226c9ec5f57724eeeeace17359f74040afb28e

SHA256
ae288ec093e599b43e36973ccf15aac8d9863096ffdc50f8c9cdcd0eba436439

SHA512
2ac52f8fb6ea5363871ef9479f2d374635f866af3e5b5d0bfcf8e6f66ed7961c6a6fa0e25b809d4ab5ec173db78485a2c7583a7f3d53a91c9ea0ea0cd3f8c066

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA8B.tmp\ioSpecial.ini

Filesize
682B

MD5
52f7cf9a085c3595c048c3ce68bcca38

SHA1
37aa11cd9cec0f2abffca563f984fb1da8bdcc0f

SHA256
7b578a66c53582610c253d232f56a437a88dc31f15a2f0b6897e39e97be52c9f

SHA512
7604c1c1cb381d88bf0057d35c464a7c1472874531ee2308642d63948e18dbd7b4ed63cdd0a8e96fc7690d11d7f59dd2502983340acfcaa0e192e501fa010378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA8B.tmp\ioSpecial.ini

Filesize
544B

MD5
5d657555a115ac61096a57fee569d065

SHA1
a4ec44d0e5275b076f54101c33a3b1bfadcec2fc

SHA256
9c9f366b7a7f28cd5ed9b526dd22f41303351fef29004b52ecd182c955f43307

SHA512
a59b601cd2eb4d73216407c1965d63a91b05608565db347e4abb4c42d09955ac2500d2c40b0fda3ac5dbace2fc293c4025715bfbbe7bc592c3b0328b05021891

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads