neshta | 13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee

Analysis

max time kernel
131s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
Size

186KB
MD5

5d7bde6e537b207b0a64ac6f7ce07ae9
SHA1

18c7509eca18bc9534267f150875fdeade983973
SHA256

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee
SHA512

2c165980ecec1ca820f3b396c4ef6305d933a40611867945fc1f4e380b648002f0fdd0b7971b3af2488e39a3ac73e8b8430c5bb2298d55e23aaf44e0f6eadd50
SSDEEP

3072:zr8WDrCo4eOyVTGfhEClj8jTk+0hdQaIDjiPBAp5XhKpt:PuyOiTGfhEClq9gQ3jiSbXEt

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

3 1468 WScript.exe
4 1468 WScript.exe

flow	pid	process
3	1468	WScript.exe
4	1468	WScript.exe

Drops file in Drivers directory 3 IoCs

Processes:

WScript.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

pid process

1984 13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

pid	process
1984	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

Loads dropped DLL 3 IoCs

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

pid	process
784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\Program Files (x86)\Compan\New_\slovi_volnui.vbs	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\Program Files (x86)\Compan\New_\gutalinom.nah	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File created	C:\Program Files (x86)\Compan\New_\Uninstall.ini	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\Program Files (x86)\Compan\New_\silk.node	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\Program Files (x86)\Compan\New_\sosni_tuntsai.vbs	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Compan\New_\UNINST~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\Program Files (x86)\Compan\New_\Uninstall.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

Drops file in Windows directory 1 IoCs

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

description ioc process

File opened for modification C:\Windows\svchost.com 13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

Modifies registry class 1 IoCs

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.execmd.exe

description	pid	process	target process
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 784 wrote to memory of 1984	784	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
PID 1984 wrote to memory of 1708	1984	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	cmd.exe
PID 1984 wrote to memory of 1708	1984	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	cmd.exe
PID 1984 wrote to memory of 1708	1984	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	cmd.exe
PID 1984 wrote to memory of 1708	1984	13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe	cmd.exe
PID 1708 wrote to memory of 1480	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1480	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1480	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1480	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1468	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1468	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1468	1708	cmd.exe	WScript.exe
PID 1708 wrote to memory of 1468	1708	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
"C:\Users\Admin\AppData\Local\Temp\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Compan\New_\nitie_i_bluz.bat" "
3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compan\New_\slovi_volnui.vbs"
4⤵
- Drops file in Drivers directory
PID:1480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compan\New_\sosni_tuntsai.vbs"
4⤵
- Blocklisted process makes network request
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Compan\New_\UNINST~1.EXE
Filesize
56KB

MD5
3289e2d767a5802c90d20ac11bcc1294

SHA1
1bc27d269547be799ca03aac8b17289058ebb5c0

SHA256
cbcd0de51d9a2b03115b42bbbdbde2683608846fd3996537a0ddaa8046c2ef23

SHA512
b1366fc6490e9f01e41938cbbdc27e59f96df23a78e5fcdd93eff92eff9ffa9286f8186b52f45f81851171d5c89a9ef6a9c9c0068d2ddb071760c8653747a514

Download Submit
C:\Program Files (x86)\Compan\New_\gutalinom.nah
Filesize
43B

MD5
f2e0e659880e05a882ab7647cb9f81e4

SHA1
a4c2100dec8a980ae6410cd317d4e8b79c1add73

SHA256
ca6dfb79fcd371341ca3a122c0afd880cbbdf4098ae20d5b96f7eb61ab3b9ac7

SHA512
bbfd4262363b6c8df745f82d9464b4a235d58f24413b75e4e63549e3b8155ccac6d63ac4647507be94f13557851d9fb92c2a576a12fbfe8b2d6981b0e55ff4ab

Download Submit
C:\Program Files (x86)\Compan\New_\nitie_i_bluz.bat
Filesize
1KB

MD5
a971c2fd2e54e87d55c9ff7442579c6b

SHA1
5ab1c89daa6a47a31abd502023e5ab0b817cb849

SHA256
fc5474c031ad0b5f506422e1ea68ad7ee5eb715e6146b871370f6f2994107353

SHA512
e7f36cc7f9cfb2da46ef77a65f0fe8c38d47fa87e4570870c1993fa92b8a2328c4e6581c66d0112b072480366b3040ea8c6347174c61ec38386d1cb5627668df

Download Submit
C:\Program Files (x86)\Compan\New_\silk.node
Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Compan\New_\slovi_volnui.vbs
Filesize
791B

MD5
03e4ca9b64db726187d32b9e12e45780

SHA1
af3c46e082896d85eb823353e7a5ad8cf7eb17a9

SHA256
1f590ea497fa07551781282c316515b0d3f06dffa2c5d4f7743b9b5dae6fe236

SHA512
725a038c1c4b0ff4e6614886f16d8665d043e23a80256d4e4a07e9e9849919386d07bcc4983944119a2b17859870c410b94ce2932a59c47728bb55ded64252e7

Download Submit
C:\Program Files (x86)\Compan\New_\sosni_tuntsai.vbs
Filesize
209B

MD5
375b55f0b4de79fcb39ba73232ec9dfb

SHA1
54b4610b1dc5bf5744070b52a7643d1de6627264

SHA256
508a3a6ccfc8608428f1b40eb303ad3daf579b903be40ec4d6d07731c09a1674

SHA512
d72a4b671ccf001388bde0ad4c5886e34bb8b3ff1a9b3faf1d0b40a70ba1c5ce6ed15b563895544b748fdf246de819b0a1b19dfc543a513d8bf6f0a2531d635e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
Filesize
146KB

MD5
5f1157f916fa7b1e7832ea96c6cde882

SHA1
3d44a1f32b461457232a0d3fd809e9885e70fe1a

SHA256
082433298a0e3c92abb5de601467d076786d5978382017b5703d2c14d1d56118

SHA512
7cbb13cf567c75302689ea28d63628bbd84e1983f24c808e11fd805e94225ec2b8b97aadfa7ef451956f4b211b7b1cf72cddcb8e86a5b4195c8f62be2a5348f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
Filesize
146KB

MD5
5f1157f916fa7b1e7832ea96c6cde882

SHA1
3d44a1f32b461457232a0d3fd809e9885e70fe1a

SHA256
082433298a0e3c92abb5de601467d076786d5978382017b5703d2c14d1d56118

SHA512
7cbb13cf567c75302689ea28d63628bbd84e1983f24c808e11fd805e94225ec2b8b97aadfa7ef451956f4b211b7b1cf72cddcb8e86a5b4195c8f62be2a5348f3

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
1b7d708bf2ac6a9f566e6e6e8589781f

SHA1
e093b867d1f6bca785d9276ae69d603b78404f78

SHA256
0b855cf5e07f170036368d5eda185c2e8b2574a51be4aa52f8daeeb23d6f7781

SHA512
f1d0472b9bc9483e7e678487b2bdf51c713621b7bdc06dbbb2bde924d8652e23af5642db2c365cef6e8708e94dd7412360b3076a4bb5c3e995d095a4442dff22

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Compan\New_\UNINST~1.EXE
Filesize
56KB

MD5
3289e2d767a5802c90d20ac11bcc1294

SHA1
1bc27d269547be799ca03aac8b17289058ebb5c0

SHA256
cbcd0de51d9a2b03115b42bbbdbde2683608846fd3996537a0ddaa8046c2ef23

SHA512
b1366fc6490e9f01e41938cbbdc27e59f96df23a78e5fcdd93eff92eff9ffa9286f8186b52f45f81851171d5c89a9ef6a9c9c0068d2ddb071760c8653747a514

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
Filesize
146KB

MD5
5f1157f916fa7b1e7832ea96c6cde882

SHA1
3d44a1f32b461457232a0d3fd809e9885e70fe1a

SHA256
082433298a0e3c92abb5de601467d076786d5978382017b5703d2c14d1d56118

SHA512
7cbb13cf567c75302689ea28d63628bbd84e1983f24c808e11fd805e94225ec2b8b97aadfa7ef451956f4b211b7b1cf72cddcb8e86a5b4195c8f62be2a5348f3

Download Submit
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1468-67-0x0000000000000000-mapping.dmp

Download
memory/1480-65-0x0000000000000000-mapping.dmp

Download
memory/1708-60-0x0000000000000000-mapping.dmp

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download