Analysis Overview
SHA256
5080fde04d9c1a84629ef9115de89032f4648865a763b759e03140c82e55ef03
Threat Level: Known bad
The file Nurik Nextgen.zip was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
UPX packed file
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-16 16:29
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Dcrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-16 16:29
Reported
2024-07-16 16:32
Platform
win10v2004-20240709-en
Max time kernel
69s
Max time network
73s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat | N/A |
| N/A | N/A | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| N/A | N/A | C:\ProviderdriverIntocommon\backgroundTaskHost.exe | N/A |
| N/A | N/A | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\en-US\System.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\27d1bcfc3c54e0 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\taskhostw.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\ea9f0e6c9e2dcd | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\csrss.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\en-US\backgroundTaskHost.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Windows\en-US\eddb19405b7ce1 | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| File created | C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\cc11b995f2a76d | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProviderdriverIntocommon\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProviderdriverIntocommon\blocksavesdll.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Nurik Nextgen.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nurik Nextgen.zip"
C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe
"C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\88xPq.vbe"
C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat
"C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProviderdriverIntocommon\DS8loQgAzvz4hzGOlT2oxco7LQ.vbe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nurik Nextgen\Read Me.txt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\agbLTe.bat" "
C:\ProviderdriverIntocommon\blocksavesdll.exe
"C:\ProviderdriverIntocommon\blocksavesdll.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\ProviderdriverIntocommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ProviderdriverIntocommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ProviderdriverIntocommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\ProviderdriverIntocommon\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\ProviderdriverIntocommon\backgroundTaskHost.exe
"C:\ProviderdriverIntocommon\backgroundTaskHost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProviderdriverIntocommon\z4jwrAxpUhCGOKjWHl3LLujwq0.bat" "
C:\ProviderdriverIntocommon\blocksavesdll.exe
"C:\ProviderdriverIntocommon\blocksavesdll.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 613761cm.n9shteam1.top | udp |
| US | 104.21.22.205:80 | 613761cm.n9shteam1.top | tcp |
| US | 104.21.22.205:80 | 613761cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | 205.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Nurik Nextgen\Loader.exe
| MD5 | 01e38e791b2dcba64ee53f97b6e4059c |
| SHA1 | b732849edbab22895fbf0b4e6caba3f4d5006081 |
| SHA256 | b529006e6b49d8b3edc5692ee4489ff70f8a58e4a4ee387c330dfa5fa3453158 |
| SHA512 | 0a993abd964c9ccb100b7a6006dc1ef58dea391a0b70c51729f9c668b903db42d7cf1952598a450107d26fd2ecbc8ec56b46544e76f03944a3cf77167945fc65 |
C:\ProviderdriverIntocommon\88xPq.vbe
| MD5 | b564930885f2d5234f25eb8251f32a39 |
| SHA1 | dd29e4edd586ec9f224494a3acac72e463b03496 |
| SHA256 | fbdc4cba4a8dff410b24577cb12a693de0ae1579a57dd035fa54ccb22aeb148c |
| SHA512 | 2f14edb3ba61873a118907a5d5f8d150f0b886a842e320be568a42f1be2a97b270890173848613dd142af09471b16af3d39e766182d0ae10ad21d4dd47906907 |
C:\Users\Admin\Desktop\Nurik Nextgen\Start.bat
| MD5 | d66e9e4f15a2067b4b6c9c1ca79cdc57 |
| SHA1 | c8b3d637128e269624cc0f154dd4624ded00faa4 |
| SHA256 | 4c63d03073231b403a1b76acfbecb3c291f381092b3f3054ccfa2d651b6ce5d2 |
| SHA512 | 26aca6854e46cc8bc65b348654641191c61f920a02ded64f86f7433b5c277d9c00eecc1effd1dbb8dad978d970b53fcad1624f5e804bab1b5c3662160d6b97da |
C:\ProviderdriverIntocommon\blocksavesdll.exe
| MD5 | 8315d7b620a490b70605d3eb8ff5aacf |
| SHA1 | 1b3ffd2ad0d9ac4c544089389468b68893d5cb2b |
| SHA256 | fd9756282d79eff3fab007965ef93412eb774c26ee51a944fae43c3d7e8466ee |
| SHA512 | 3d48e50a56222e1929b0dd7da754f854b8e95d756ef9ccdd13e71554d4fbf984816869d6cd3990b0a2be3946bea9665c162d9b95915a71da219c8cf3eca8c9f5 |
C:\ProviderdriverIntocommon\DS8loQgAzvz4hzGOlT2oxco7LQ.vbe
| MD5 | e7ffce41b3ee681c84684a0102afc208 |
| SHA1 | 927758d2e6c11efc9591e454d2292bff168bc029 |
| SHA256 | e822fe09d88314279cfb16bd6fc3ab36d1d829dc8e9abdc35c6c0ee235fffea6 |
| SHA512 | 15958b53273fdea2714a751dc429d463648038913fe49a9ab4c66c7de11e69b5140bc6bc77bd46f018b3881c12e32f2dba9e825f64337d86a1130894ea1392b9 |
C:\Users\Admin\Desktop\Nurik Nextgen\Read Me.txt
| MD5 | c407fc8e8fa5835b0b37670a9c5f121f |
| SHA1 | f85b910cb93eb9c8df19eafcfc953c8e6dcd51c5 |
| SHA256 | 4c13d1b2a5986ddb0773ab95e91bd1ece263d838ffda35508940a7924ae8e331 |
| SHA512 | 5a9a0a8dc3ec19ba53d5a6ed1f1fe41d06bfb29d2dfa3ca2311f223536dbb2250ed6277abbe0e0cefd6ac30a14633efc05d89fa7812c03dd6f872b194bce212c |
C:\ProviderdriverIntocommon\agbLTe.bat
| MD5 | 3a8731fb4a1c8ac840d9da87b0fabc01 |
| SHA1 | 589cd7631e9487d7287028a9b5e3011ddeb93b02 |
| SHA256 | bc644fae4d644abc18bd3402435843b5334899e9d4b4871d1fb3c70e7886f353 |
| SHA512 | 2582a5c027f1fcf2cc9a2c5b65bd85416e019d1a8dd36f83c8a324d9fd37a4f84f635dafd3dd47f045eff9e106d1411a0ea85616b46982770cdce3fe0db6d9fb |
memory/1572-100-0x0000000000D00000-0x0000000000E5C000-memory.dmp
memory/1572-101-0x0000000001730000-0x000000000173E000-memory.dmp
memory/1572-102-0x000000001BA80000-0x000000001BA9C000-memory.dmp
memory/1572-103-0x000000001BAF0000-0x000000001BB40000-memory.dmp
memory/1572-104-0x000000001BAA0000-0x000000001BAB6000-memory.dmp
memory/1572-105-0x0000000003090000-0x00000000030A0000-memory.dmp
memory/1572-106-0x000000001BAC0000-0x000000001BACE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blocksavesdll.exe.log
| MD5 | 7800fca2323a4130444c572374a030f4 |
| SHA1 | 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa |
| SHA256 | 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e |
| SHA512 | c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554 |
memory/1112-143-0x000000001D190000-0x000000001D352000-memory.dmp
memory/1112-144-0x000000001E840000-0x000000001ED68000-memory.dmp