Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/04/2024, 02:23
Behavioral task
behavioral1
Sample
Nezur.exe
Resource
win7-20240221-en
General
-
Target
Nezur.exe
-
Size
4.6MB
-
MD5
483bc175a855a89d93cb00577bbb7920
-
SHA1
55b1ca916684328da9b004083189bf92ccd29138
-
SHA256
42317a2bf653554d75fee360889868dca0d1fa4cd8db24dac5e616e4ea6208c3
-
SHA512
3b186a5f644711634a331d7bf771cb7247a889fe65c3fc138de20cbb45f2f83bf060e6257444812d681015b8fddf1af03282a941ebd3019c5673a79cc1cc4ea7
-
SSDEEP
98304:URkvYI8Xa9jB6TKw/h4z+sLDuOl/+ooXE9jwzb6G:USvUa9jwk+sew/+ooXE4
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Nezur.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Nezur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Nezur.exe -
resource yara_rule behavioral1/memory/2820-0-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-2-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-3-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-4-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-5-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-6-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-7-0x000000013F550000-0x0000000140106000-memory.dmp themida behavioral1/memory/2820-10-0x000000013F550000-0x0000000140106000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Nezur.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2820 Nezur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2464 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000e200eeaf24b256aa18d5998f9c850f36ebc11f3a30b8f83bd4aba8572a0e245a000000000e8000000002000020000000208d73187eafe495b5afd100c640ecf2394740ee67c32cd81661ddb0a097d61a90000000f4ff08bdfa49bbb65c7778cd7cb1b9ed5ac7c8a4fad44d27a486c73675972e2611147c717bf0dbfc57590bc7b25717c76f82d439c9a3f2349110cb0090089038a10506c8e84a459401d29534f29442c0c3e98cbcb79470b810d37011ee26708edd0b06eb8330342938dfd0c47cedc1701830b6f049a3c3a895795fe2a3f3c0d1bd8887464929b154d38522544a9ae66e4000000001798b4f3ddc3fc2ab6cfa217797ca75c495c82b17b563f2b43714a749b4d88eef8e626a1ad34552b2b44be6b7d55c3e81e1b00c95bb4dd6e7b551d6623db0da iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B80DCE00-F873-11EE-8698-5E73522EB9B5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0cefe8d808cda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\1cheats.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\1cheats.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000041ed6089a5cb2977a1784589842f23596883007fd2e6abefef133b2e3a16a186000000000e800000000200002000000042c8b8ad04a539184165a358a1d668b0e348fa107812ce33831fa52a336f263920000000e2596031719f7d21f7e2764d81d21d75d44c9291a4182e421f610bd739c0010340000000c3829f552da7d7680391ef37b4a717119481ead1a1518b4ff1403576a05b361238b74461cf8c520b478c4e01d3c141817537beb85ad5238c0da00f74bbaab98d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B80B6CA0-F873-11EE-8698-5E73522EB9B5} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe 2820 Nezur.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2464 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2360 iexplore.exe 2516 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2360 iexplore.exe 2360 iexplore.exe 2516 iexplore.exe 2516 iexplore.exe 1008 IEXPLORE.EXE 1008 IEXPLORE.EXE 1348 IEXPLORE.EXE 1348 IEXPLORE.EXE 1348 IEXPLORE.EXE 1348 IEXPLORE.EXE 1008 IEXPLORE.EXE 1008 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2684 2820 Nezur.exe 29 PID 2820 wrote to memory of 2684 2820 Nezur.exe 29 PID 2820 wrote to memory of 2684 2820 Nezur.exe 29 PID 2684 wrote to memory of 2080 2684 cmd.exe 30 PID 2684 wrote to memory of 2080 2684 cmd.exe 30 PID 2684 wrote to memory of 2080 2684 cmd.exe 30 PID 2684 wrote to memory of 2228 2684 cmd.exe 31 PID 2684 wrote to memory of 2228 2684 cmd.exe 31 PID 2684 wrote to memory of 2228 2684 cmd.exe 31 PID 2684 wrote to memory of 2680 2684 cmd.exe 32 PID 2684 wrote to memory of 2680 2684 cmd.exe 32 PID 2684 wrote to memory of 2680 2684 cmd.exe 32 PID 2820 wrote to memory of 2616 2820 Nezur.exe 33 PID 2820 wrote to memory of 2616 2820 Nezur.exe 33 PID 2820 wrote to memory of 2616 2820 Nezur.exe 33 PID 2616 wrote to memory of 2464 2616 cmd.exe 34 PID 2616 wrote to memory of 2464 2616 cmd.exe 34 PID 2616 wrote to memory of 2464 2616 cmd.exe 34 PID 2820 wrote to memory of 2516 2820 Nezur.exe 35 PID 2820 wrote to memory of 2516 2820 Nezur.exe 35 PID 2820 wrote to memory of 2516 2820 Nezur.exe 35 PID 2820 wrote to memory of 2360 2820 Nezur.exe 36 PID 2820 wrote to memory of 2360 2820 Nezur.exe 36 PID 2820 wrote to memory of 2360 2820 Nezur.exe 36 PID 2360 wrote to memory of 1008 2360 iexplore.exe 39 PID 2360 wrote to memory of 1008 2360 iexplore.exe 39 PID 2360 wrote to memory of 1008 2360 iexplore.exe 39 PID 2360 wrote to memory of 1008 2360 iexplore.exe 39 PID 2516 wrote to memory of 1348 2516 iexplore.exe 40 PID 2516 wrote to memory of 1348 2516 iexplore.exe 40 PID 2516 wrote to memory of 1348 2516 iexplore.exe 40 PID 2516 wrote to memory of 1348 2516 iexplore.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD53⤵PID:2080
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2228
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://key.nezur.io/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1348
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://1cheats.com/store/product/41-nezur-key-bypass-lifetime-license/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1608
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD534e91b86f49c2a3854e5321fd6a59a32
SHA1e9cbfb9bbba48618acc534a84123faf41574fc0a
SHA256415513569a8b4d70d2f170ea7363532aa3cbf4ca48f49a116ee37bb234e83f5c
SHA5122d0372fea11cde8ae887022155e190beb57305fc9c435a196a482c688e948de637dcd706fdc19f0050150a9ee13fd45007800a42f79162ad417e7876417ca4e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_C0E9A060DFB4E460CC3576DA89FF9A7C
Filesize471B
MD56f3ac55eec72c1fe970d47adb458ffa6
SHA1c64fecd18f0c83b5f38f3cfdc4c3a92a7c86e966
SHA256cd73ccabb144fcaea270ada73bb355ea29ad212aa7b73aeee9f70a516c1b6d0d
SHA5120e02a4f7e1481bf603873a8cce6f405365c773d51e17581375e5dc271a5c47fff9adefd2da0f4296bfdb43bddf4033681067501a20e4328033d9c550fce2f90e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD524b17a40792300994da572d4328a3812
SHA124e05e92ec1025e5af01f12c70423d313bc123aa
SHA256faf24c60f58c858abc296f52a4ea7c2f414f11c3ded7c54f04ef67d82a0f48f9
SHA512d54daaa8924df61814b60eb1eca0fd39559e6023ea7d798544d3bac5a57aa8f10dba9ec33745bfbebb47237bacc918b3351b3c5b87c9e68b27555427c9c898d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD56b9ef48ec77caf38ac4d8629c5dc7577
SHA1029d7e06533bcef05f8008f2a3db1fe001333909
SHA25677a41cc24f54ace72062be944aacac40852c3c6065d51cf1c80e0b825bf758c0
SHA512238d268712bd0d7e8495a9c286ba9e9c541794375399dd890edc5beb44510da99f29ee82e0f14e2686926b6b81cce02b6caf3c078cdb358757cd9ea622980988
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5aa6bb32be74ec9e12c3dbcccb422e2c0
SHA1cd921eb9e11759b1d0e22fd10f902a6c223203b3
SHA256f59487090d3a2a18b615f62302f493512ecb3f8b8a70eb653974bcc071877969
SHA51210f396424bc989aeb3cd91bd1129b713affd2c1bc1a5425afb48d060ce8cc63ddd56b29f7d7504e6a9f88d8e11545071e2b88b9a726499103b74b38696b38da9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53836a773944a4005590e8827465083be
SHA1ee5baca7ab660f5c7f78d3db4ff2409275fe01ae
SHA256865f85ee866eb63aab6bab09693f496ed5fbc703ffbcbde1eac1b2c900202147
SHA512023d26706688dff6c32a14025f3a9a60fffbe390ee1531435612a31dbdafa70cfa5ac75c1535ed069edb852a1bc7ca5f095107ca05cd76ec0cfe484fce99199f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD534a2edb537f4c34785afbca62cd3e999
SHA17f77ad57d71096c0a36df58d1be0b8f0272572ce
SHA2568d820063a2357d5c810f5cd85f05773680812062faa0fdd0b57dcc0ae6d60410
SHA512a67f57e070bcfab80fa6c1a7b2bbdcadcb407fec588888fae4d30143db6eaaf050402c932ebe348837df9e82e1f61dd8e94ac05fb3e8226e8c23ea0e29bc448c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a0b180edb178e6c527d63a6b78f91796
SHA1f1618fff2592649e1324e27f54cdb42e6a73b1eb
SHA256c90ba8732690bbb261c00d046ff3e6ad807744aeaeddfbe5afdf80f2e6b39d30
SHA5127f7168c2f4bb723f802d1d05b5d2a7c7e2aba9abf6e75047f08a2b8a7d739092222276b89608f63b18a33744200e03097af2b94a9bb045b14a8ec26998ab2eda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD561339c481b5ed8fcdd1519f82b4f134c
SHA16786e00b279add09aafe27859a9014e8facb7198
SHA256b570d5d845a896bff5ca36bd0302dc117cc931241f46792e58ce989cfb19c2f4
SHA512fae09132e9627b8cd92283628ed4eb5612e8cc93738c2cb37cf507ae265eaffcae58fc283c1af2b80f0091a4ff605c7bb3e6bdab519141d2d3500df0dadeb962
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52985cef36605257d54653f4962d28b8e
SHA1d4723e9df020bc35b1ea6a175b8bc59f810f2851
SHA256c82009e9ee93816239be84b1bb249b501b139dc723f318ab8196fa3fa3cc5ec1
SHA5128b67d56e74a3708e8f55379c59845b325e33ba4dbb2dcf456491ec78df10a8cffc4cf2de08dc40c8f8e1a122c26b6eea7ad3b2e94cb1cc73f5a6d5b364cc58aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515f966c594981baa2355958faf983510
SHA1f15c25adc8206517de083d7df53c98f091fdff8f
SHA2569115bc8650ca5c8aae4122a111ef99b8f68b150471cf66cf6a130a8f5794df3a
SHA5128a2b4b409067027926fe83883155891b5d3135a317c086cceeaa68f55d7604727a2fe1fa0ad218cf406109fa03d21a26ec21b9d792f5e1d0795550548b87bf94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a929901bd3c10dbe329f1a0d88033516
SHA12229244c7b763df21e2f35fc4df82e92b86ba8e9
SHA2562793aea7653dc2ecaed73a91fd1b5e2f3736cf56565a7b3c9d9852de44528713
SHA512d429524b493297a3de1eccc6446dd72425a9b94c514046caf1b18498454caf77eef0ec0ff358c7f6ee1062c69ba664e4423b260165d02590f46b7f6c5243a64d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD554cee37fc165a845e47acca97b081859
SHA1a5b43baae0ef5fc933547db666711327080f95d9
SHA256ccbc2dfbbf8d19e347385a716fea219e23e19b67d39c657b8da6193d2e608d77
SHA512082d6f08dd77fe7dd0e3baf368b6753a7158038b25464e3f9474bc34cf9eaf985b7b190234f360b6fcf2c11435ef60b0bb32f2ee3c6a0966b129a299bb971723
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD559ce1d55d9b8c397dea24bbfbb7667b9
SHA14d21ed64b87b4de3a4ef598e077656edf2ffa4e5
SHA256d7ff6acc40bacaa706911669a93592711cba9ebbf43b67357eeb0c9859701154
SHA512f943bf8dc4fe63a7299359732a9fca0470fc61528f812969d4ead8753bb33d440302196bc2c7560e000b00e607eaf4cd34f64cf65e2a8070c7c8f0adb12a67ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54013f6d9659030150f7232381c536839
SHA10fc9f3e1431973306c42d4af5c201e78edcb2b14
SHA2564d4c03348c060bfabb49a9306c7d743a129aad7d4f38c4b62e1981e58bfe618b
SHA512ec471de9b4b445c81449091ea8f95c43f656b6d91bed8492cee6aafd113a5bc71bd8b8fa2e044d568e6c93e06c7992b635b1c54485d33dc07705d4ef784ff0cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59efe3df93d368565f0fc82b73375b402
SHA1e15eb7c3f9d145b6a5b5d5a1074250c23642f4f1
SHA256c3bb4b2e5ccccdbcc8cee8ecf7c46d3ee19970b142ce6196f25e0e193e59cece
SHA5126d89e1ea92fd69a3650751621f93c770a364a4c0844496cf19289f45aa903513a0c93f8dd6d3f10f07546d093b559fed6309601332967b8b3f1befa428813670
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5e5ab587c77af18788398997159a2893a
SHA169c970f7332cdd1563183d3d07c422378766cbcc
SHA256078df8a16e9919e295df5fc7bb0d0797d390251f159aaeb01784384ca9f09e24
SHA51296d591a5ccfdc7f594218d501e0fcc2494fb19fb3dffc05bc541b1bff0210ea62c746a467c255859df23486abb3b5e6ec6b9428bde6ecff8d7934a24d0103f5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5fda17d5b63b4cbb615ebdefa45a17c4c
SHA1b9846c7e33450b0bb612f3b8bb0c79163a2d6592
SHA25600069698425051f406f99930af20812f769138de0c23815a4985a8899b864403
SHA51249bb628247e6b04b103e583ee34b0d97c2b69055071e008903ae05eae334561048a5088a142e4c3832e2abaa3b61042b430b618e382cc029bbb1c501334a85b2
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B80B6CA0-F873-11EE-8698-5E73522EB9B5}.dat
Filesize5KB
MD5c26673c3ff93e471818da38e15b16cf5
SHA1ad6a2211c4b88eeefb0aee9899996bd52cf15b97
SHA2568dbc68194958bafbbcb3206f3bd15aae34a4735dbf49b34ce936c220845b3260
SHA5124d4b19d3c8b820e231cc8124fec8fb51817ff461a24e493b6acf0f31f7045da2b076f4f610047cbc6370603cd1c54fe7caff8e766ec99debfcaed6d44427ab37
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B80DCE00-F873-11EE-8698-5E73522EB9B5}.dat
Filesize3KB
MD5908aa3cd291e2b849e78daf6f347cb11
SHA1704010844ac9e39f5c22a376be17cb3b9c48aaa6
SHA25699c13fe74a6d69532ac0fbcaf5510ee78e7a639cd40df9d384533330f63e2e53
SHA5128f7826008614e85a516e989de6ff2ea22911b7daeaa5861309f4bd02826df607a75e60cd302045ea5679330965809e7d524a19b50fa91f1f12f2520533e9caf4
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat
Filesize5KB
MD58c030c032d1ce245a06516b1a7213851
SHA1b12bf70ee7bb425e8754c56503fc78587826282d
SHA256de8f19d0c3c190970cc67bb91f83415f3d8cf640389ec9a515df12909a4804d0
SHA512fefc9e645e98d8dadbf12632c2d86da1a4dba75df1a21cdb6ce2086a2656dfa04e15f0b3c63c2de332cc6ea7b55480e97df6815d5f8a9399d54cd01067521f78
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{C9B778E0-F873-11EE-8698-5E73522EB9B5}.dat
Filesize4KB
MD5642f8d1645d825afd64b3c8205913e94
SHA13bcbc12caa5748e470b596d68f375066fdc6292c
SHA256003aa36a8da5a5bf66404db40b4cd51c92a95201458f8fbcd4b0841e82fcdc06
SHA51228646307ab3f9e6fe1be05e9bd98db82057bd220b8ef179fcf73038eef0317da423279fee7779d16f23dbaee539fafae4e2ba9733d7bc56a3eb3e4e638e33c82
-
Filesize
49KB
MD5b25592ef7642ddf646d76f40d8784f36
SHA1576f25089f479309348698cea59d60fd39a63859
SHA256b43f983310a5e60910d15e3fbf561d817af8aa6fda37be28fa9fda2c6e10c7e3
SHA51205d5417babe9256744ec29fd338e22b0cb405481b584487356de85c1eed830b4b089dbfd3fed97ffb152429cbe34eb265483e0511c6ac29a4f60c8f65ed79ca6
-
Filesize
50KB
MD5f4b38d79fe3b635e194b25967f487e9e
SHA1e8571a900259f08dc820e85992aa21b8b4a98b24
SHA256221f330376078b6c2d64b27588aa6e8108567fc53e02181388b924c6bb0194f5
SHA51206624fcdbacdc5d48fff35df940a182a5ffa0b62fb12e41144ef3d11f4a308daea447af8fe317bb38c569357f3633cd007c00e29e82820efd9ba1df27cdfaf12
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\nds1[1].png
Filesize49KB
MD502c982265e63c204b11d8143af1da94c
SHA139b0a164762edbe222cebfde0b7a15dfb6189749
SHA256655a0545fb2a1e573f9aa3f0d18b79ebbdc5f268492124f2de67016261b2b359
SHA512e44aaa2cd6bd9747558fbc0f5060cf2ca3806f180fd7c41aa71e76bf8eb0a9898ec61705af0b1210442fda0b5bf750d8dad5bccafe8f5f2cd1efe3199f581b7d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
28KB
MD5cba697692a9db4940326ad86e145e650
SHA17735b1ae80de16c43ab3391158bedec27167e792
SHA2560d2c39f2a4e8e428db893aea8432f81465219683bdda5adb7c9aaeb540c4f875
SHA512b66f9a5faf3e3fe35ecfa07953050fa07c9065593cbf2880d2c488c6cc545e086f012012b462c0a89b201ddd0b59fc0e7f9504b113547ff0dd31abf0521af288