hxxps://nezur[.]pro/

Resubmissions

04/02/2024, 19:45

240204-ygrd5shdh6 7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nezur.pro/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3572	Nezur.exe
5064	Nezur.exe

Loads dropped DLL 2 IoCs

pid	Process
3572	Nezur.exe
5064	Nezur.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133515496218055386"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2576	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
868	chrome.exe
868	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
868	chrome.exe
868	chrome.exe
868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe
Token: SeShutdownPrivilege	868	chrome.exe
Token: SeCreatePagefilePrivilege	868	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
3472	7zG.exe
324	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe
868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3484	868	chrome.exe	60
PID 868 wrote to memory of 3484	868	chrome.exe	60
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3244	868	chrome.exe	86
PID 868 wrote to memory of 3576	868	chrome.exe	88
PID 868 wrote to memory of 3576	868	chrome.exe	88
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87
PID 868 wrote to memory of 3692	868	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nezur.pro/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff42de9758,0x7fff42de9768,0x7fff42de9778
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:2
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4868 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3896 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1884,i,17764681195012344154,9208064748007391552,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x2f4
1⤵
PID:1072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:464

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31898:72:7zEvent30868
1⤵
- Suspicious use of FindShellTrayWindow
PID:3472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Nezur\" -ad -an -ai#7zMap15754:72:7zEvent5699
1⤵
- Suspicious use of FindShellTrayWindow
PID:324

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Nezur\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2576

C:\Users\Admin\Downloads\Nezur\Nezur.exe
"C:\Users\Admin\Downloads\Nezur\Nezur.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Nezur\start.bat" "
1⤵
PID:2768
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4164
- C:\Users\Admin\Downloads\Nezur\Nezur.exe
  Nezur.exe auto_load.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\NzQ3.exe

Filesize
101KB

MD5
98581e944c93f228f7450157b854084a

SHA1
771aed658e46bcfa6e91ae95e7a53782ecbcac5d

SHA256
a1dfea152b3ccdf10c288fcba5c4eb673abe5107f9b533b2df0f3fe0640c5bdd

SHA512
e1ff170b0f399341c1622628384d9f46d699f7cbb3ecce1c6f77a5432b21c6d4c450542c8b911e3f5524c8098595a608eb8cd5cf45ac60dbecb0d286aefec639

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
1024KB

MD5
2c63eadc99b59ffa9f85e12e1d5962f7

SHA1
6b71e11b4d0ace67b081b6a8c653710da2a24910

SHA256
4ac3f174915a0456452ca1f45b271a866d7660f4083cbbc492c623f5f6686f82

SHA512
54f96319b5b469785164da90186ad204c0ffe4b64a52072ccf958d520a5f130245508f9de7edcea231a6efbc6342141f2401891074254912110097291edb76e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a70354f4fad495362789b89784589321

SHA1
ee3c401d32af971c89f86e0fe9366409fd12ecfd

SHA256
1a10b0f8d46d480fda4d8b9004c5fa2ec6cc5e1169f959b2ae78e297d88d6a13

SHA512
bfb6e73105940b9257117637caf6915d1c2439e85aeb05b94b881a21ddbdad6a9db7fad52ede06da789740cfc4fcbf95276c19836a0aa8d978bd70d8bc99067a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c19b08a7173707c9415307a0f9a692fc

SHA1
3e438a03d92be24e12be2d9073d56c74d6cc52bb

SHA256
ed1b744e974ddd21ac2cf42aeb5a823e1376c68c3dd06e0bca0f9294d52a7f02

SHA512
bac72d5a9637c8dcb4f1a39a40ae3259203dd5f8a92a252a7301a4b5ea17ca0a8543f59481c6317474ae287a45e9f20642b50d909037cb5ce422efd782e678a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
a18b44bb3e253c0334045999f9beca6b

SHA1
c0a64b7cc3bd942be7d60138b078cb6c60df7e91

SHA256
c76af2dc4651cf50fa7e5d014ed23a49fb3193943cbd17235649ed959147b55d

SHA512
08765e13bea7a5d3c2fbceee2df07def16f700b441919da867ed473d512a00d5869a5fe1541491fec714ab777cfb9f52479c74f84eafa32b03f8c337faa8c488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
bb0ea5dd08d21639beb3206ee5702de2

SHA1
a1c6b2b5c0632783fd1823618504c9b88352b3de

SHA256
e2055373fc30752039f039a494e9b5fb06ce681ef508e80d5855af5c33e9836f

SHA512
43f458af7aa359ab7d9d69302c0fa0d1fba2daf02bc492c3fe9a08f9de58d60883e78904ca79035c0195a80e94663db8cb8b0f1b0b8eff22726cc6765f9a3981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e2158750ad730bc2102f507cc30044b6

SHA1
c8615e778827a5ace216b0aeaa01c89cc16c3480

SHA256
893940becc157ffef0f7c48aaadc7f4f8fe3064cc096270cf079aa382dbd8de2

SHA512
a6272ffe0c0e551069593e9781112229b8da606e9bf8ba1fe41cab8f61644871bcf1b445c961f7259314ba38ee6f1df74bb7f1b0c3fa647b7cb209a55fdf7240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5a5e164d0e2d324dd4775096f67cc486

SHA1
e2f5de356638e01e7e1a9fa05c0684c37344f650

SHA256
830a4752f1f123538e1156e7a1ce05e461b5b559b83de6a14a4188fda8c4cedf

SHA512
b30b34901fdca999ae1ece2383e95468df51b636a43abc92260b317b2c36be0349e22b37a4d71f3b09ed9c8d4eac1c4c5a7e60f31d33f70971eaf2ce29419c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d29981e7463e72883bd0102aaed92a6c

SHA1
6c8c5a5aacbbbd17fbb5919c62c2f6f667efd477

SHA256
cd398d46e72fb64495d07fb835a14a703ee70681257a78d10dba32bbe52a25c7

SHA512
6dbab1367a79714ab92c8411dd324b061ca27ae1fa7d247462f2f50c90eeb6cf63dbc5b047c201530203ba75527b9c81577cb68478bda1679bc861ece2e3b32b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e854918d95584f6293e8b2597fd6f50d

SHA1
1994f4fb836bb63d7f76ca904c203c4fe0b0199c

SHA256
c7d6357ae981a897104a248e6562f2b326feae358b428e75ecbe65eb7ebba252

SHA512
c3a01a39da1f5bdb65ff35ff372aa8f4bfe989100256dbe9f67c10199ecf14396f4e7211f757c6d0c52dd328b18c8eccc1e49839c913d79bf3640367a6b7a35e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
3d6e7170a2525a7aee5f7cdaeb973eac

SHA1
e8ab2c7761aefe8de5fd5ad6d9ff0559c34079e3

SHA256
ce53b6eeab130f8179392902085302e93d05a5769e65cde0eae3fb626f6de203

SHA512
e2f2cc4e29935d7ae674932109311344c404d24c6d0125a3f699ff2587a99323fa43cbd3d30dc514715207e879f7e1e9b25d67ba5d85cc179662364b3c952843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Nezur.zip

Filesize
478KB

MD5
6b5845b9c5e39f3e71b41ed9d4a2836d

SHA1
7612046abe2762ca2c413842bea42c2e43a585da

SHA256
15150c86bee8cd78be48f580bf84402850a2bfd01a3bc528ff6217d755bb4a16

SHA512
e85fa0b67fb7e1fadce109a7dd7ad215c2f4950d9d43c525da8f4edab71be87e89874de3229405963c590a9d435bfb055f34bb7e12aa553047862fd9e72134f8

Download Submit
C:\Users\Admin\Downloads\Nezur\Nezur.exe

Filesize
89KB

MD5
dd98a43cb27efd5bcc29efb23fdd6ca5

SHA1
38f621f3f0df5764938015b56ecfa54948dde8f5

SHA256
1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a

SHA512
871a2079892b1eb54cb761aebd500ac8da96489c3071c32a3dab00200f74f4e12b9ab6c62623c53aea5b8be3fc031fb1b3e628ffe15d73323d917083240742b0

Download Submit
C:\Users\Admin\Downloads\Nezur\README.txt

Filesize
1KB

MD5
4d61d6cf953627733ac13dd5e6cc8e69

SHA1
b930e8c44bb9ad460936aec495d53341954aee07

SHA256
667bcf026dcd5bce1d13f834b0e369f3ea97de875a46e11c0b3d5399113e7556

SHA512
a5110fa0240b8a9f77b18f134ff4ecf76d6eedf3ecabce932c8f97f3e2edf355e925734a2fdb170723b6baa9c26500c955536520874ffe0e6f98f440fb9b2c15

Download Submit
C:\Users\Admin\Downloads\Nezur\auto_load.txt

Filesize
187KB

MD5
1e6b9406fd84312cb2bbd29293f1a344

SHA1
543a81b1e1934c1cf0232a20869c428727a25454

SHA256
cf63912c3b3ccfacd48e8c35fc5fdd401135e6d56978fc0012ce86b0a4a81e0f

SHA512
a977e8e98734da9624c92ce2bd2ae3b2f3d3b910a961339aa223a00828536e979b8b6b603ddf7952e2625b1ae26d1e2931aa4c6dfa47de9908b536780d06767f

Download Submit
C:\Users\Admin\Downloads\Nezur\lua51.dll

Filesize
592KB

MD5
3dff7448b43fcfb4dc65e0040b0ffb88

SHA1
583cdab08519d99f49234965ffd07688ccf52c56

SHA256
ff976f6e965e3793e278fa9bf5e80b9b226a0b3932b9da764bffc8e41e6cdb60

SHA512
cdcbe0ec9ddd6b605161e3c30ce3de721f1333fce85985e88928086b1578435dc67373c3dc3492ed8eae0d63987cac633aa4099b205989dcbb91cbbfc8f6a394

Download Submit
C:\Users\Admin\Downloads\Nezur\start.bat

Filesize
548B

MD5
12c37bf6537bfdf93b80c31f6d1391b2

SHA1
43df564e4988008f3e97167837f58f1452cf3d13

SHA256
cab7b8973dd5f7252af6a1a080deec442acd1e6bdd6c7476bd73e39553751222

SHA512
c59645da2377ec2eb8c4ca75174379134dc657741ee324fc6fd38170b9704852bf136a919fe0363ea85befe61e8838ef74dad07e365392d8f8f6462bb1ba75f9

Download Submit
memory/5064-660-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-669-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-613-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-611-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-614-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-619-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-616-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-615-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-623-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-620-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-624-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-625-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-628-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-629-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-633-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-634-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-642-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-648-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-647-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-646-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-649-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-651-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-659-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-610-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-662-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-664-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-667-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-676-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-675-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-674-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-673-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-672-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-671-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-612-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-670-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-668-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-666-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-665-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-663-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-661-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-658-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-657-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-656-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-655-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-654-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-653-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-652-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-650-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-645-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-644-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-643-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-641-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-640-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-639-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-638-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-637-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-636-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-635-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-632-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-631-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-630-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-627-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-626-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download
memory/5064-781-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/5064-786-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/5064-789-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/5064-609-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

Filesize
64KB

Download