Malware Analysis Report

2025-08-05 23:04

Sample ID 240412-ct89tsce24
Target 1231232f82h.zip
SHA256 8288d94f7db9c1d99ec5bfc0ae206d28bc8489b8276d2b638ab50eafd65469f7
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8288d94f7db9c1d99ec5bfc0ae206d28bc8489b8276d2b638ab50eafd65469f7

Threat Level: Likely malicious

The file 1231232f82h.zip was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 02:23

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 02:23

Reported

2024-04-12 02:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000e200eeaf24b256aa18d5998f9c850f36ebc11f3a30b8f83bd4aba8572a0e245a000000000e8000000002000020000000208d73187eafe495b5afd100c640ecf2394740ee67c32cd81661ddb0a097d61a90000000f4ff08bdfa49bbb65c7778cd7cb1b9ed5ac7c8a4fad44d27a486c73675972e2611147c717bf0dbfc57590bc7b25717c76f82d439c9a3f2349110cb0090089038a10506c8e84a459401d29534f29442c0c3e98cbcb79470b810d37011ee26708edd0b06eb8330342938dfd0c47cedc1701830b6f049a3c3a895795fe2a3f3c0d1bd8887464929b154d38522544a9ae66e4000000001798b4f3ddc3fc2ab6cfa217797ca75c495c82b17b563f2b43714a749b4d88eef8e626a1ad34552b2b44be6b7d55c3e81e1b00c95bb4dd6e7b551d6623db0da C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B80DCE00-F873-11EE-8698-5E73522EB9B5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0cefe8d808cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\1cheats.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\1cheats.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000041ed6089a5cb2977a1784589842f23596883007fd2e6abefef133b2e3a16a186000000000e800000000200002000000042c8b8ad04a539184165a358a1d668b0e348fa107812ce33831fa52a336f263920000000e2596031719f7d21f7e2764d81d21d75d44c9291a4182e421f610bd739c0010340000000c3829f552da7d7680391ef37b4a717119481ead1a1518b4ff1403576a05b361238b74461cf8c520b478c4e01d3c141817537beb85ad5238c0da00f74bbaab98d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B80B6CA0-F873-11EE-8698-5E73522EB9B5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2684 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2684 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2684 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2684 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2820 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2616 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2616 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2360 wrote to memory of 1008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2360 wrote to memory of 1008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2360 wrote to memory of 1008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2360 wrote to memory of 1008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2516 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2516 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2516 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2516 wrote to memory of 1348 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Nezur.exe

"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://key.nezur.io/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://1cheats.com/store/product/41-nezur-key-bypass-lifetime-license/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.91:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 104.26.1.5:443 keyauth.win tcp
US 104.26.1.5:443 keyauth.win tcp
N/A 127.0.0.1:49198 tcp
N/A 127.0.0.1:49200 tcp
US 8.8.8.8:53 1cheats.com udp
US 8.8.8.8:53 key.nezur.io udp
US 104.26.6.104:443 key.nezur.io tcp
US 104.26.6.104:443 key.nezur.io tcp
US 104.26.4.38:443 1cheats.com tcp
US 104.26.4.38:443 1cheats.com tcp
US 104.26.4.38:443 1cheats.com tcp
US 104.26.4.38:443 1cheats.com tcp
US 104.26.4.38:443 1cheats.com tcp
US 104.26.4.38:443 1cheats.com tcp
US 8.8.8.8:53 use.fontawesome.com udp
US 8.8.8.8:53 code.jquery.com udp
US 172.64.207.38:443 use.fontawesome.com tcp
US 172.64.207.38:443 use.fontawesome.com tcp
US 151.101.66.137:443 code.jquery.com tcp
US 151.101.66.137:443 code.jquery.com tcp
US 8.8.8.8:53 js.stripe.com udp
US 151.101.0.176:443 js.stripe.com tcp
US 151.101.0.176:443 js.stripe.com tcp
US 104.26.4.38:443 1cheats.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
US 104.26.4.38:443 1cheats.com tcp
N/A 127.0.0.1:49207 tcp
N/A 127.0.0.1:49209 tcp
N/A 127.0.0.1:49212 tcp
N/A 127.0.0.1:49214 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 104.26.6.104:443 key.nezur.io tcp

Files

memory/2820-0-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-1-0x0000000077080000-0x0000000077229000-memory.dmp

memory/2820-2-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-3-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-4-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-5-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-6-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-7-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-10-0x000000013F550000-0x0000000140106000-memory.dmp

memory/2820-11-0x0000000077080000-0x0000000077229000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B80DCE00-F873-11EE-8698-5E73522EB9B5}.dat

MD5 908aa3cd291e2b849e78daf6f347cb11
SHA1 704010844ac9e39f5c22a376be17cb3b9c48aaa6
SHA256 99c13fe74a6d69532ac0fbcaf5510ee78e7a639cd40df9d384533330f63e2e53
SHA512 8f7826008614e85a516e989de6ff2ea22911b7daeaa5861309f4bd02826df607a75e60cd302045ea5679330965809e7d524a19b50fa91f1f12f2520533e9caf4

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B80B6CA0-F873-11EE-8698-5E73522EB9B5}.dat

MD5 c26673c3ff93e471818da38e15b16cf5
SHA1 ad6a2211c4b88eeefb0aee9899996bd52cf15b97
SHA256 8dbc68194958bafbbcb3206f3bd15aae34a4735dbf49b34ce936c220845b3260
SHA512 4d4b19d3c8b820e231cc8124fec8fb51817ff461a24e493b6acf0f31f7045da2b076f4f610047cbc6370603cd1c54fe7caff8e766ec99debfcaed6d44427ab37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 34e91b86f49c2a3854e5321fd6a59a32
SHA1 e9cbfb9bbba48618acc534a84123faf41574fc0a
SHA256 415513569a8b4d70d2f170ea7363532aa3cbf4ca48f49a116ee37bb234e83f5c
SHA512 2d0372fea11cde8ae887022155e190beb57305fc9c435a196a482c688e948de637dcd706fdc19f0050150a9ee13fd45007800a42f79162ad417e7876417ca4e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 24b17a40792300994da572d4328a3812
SHA1 24e05e92ec1025e5af01f12c70423d313bc123aa
SHA256 faf24c60f58c858abc296f52a4ea7c2f414f11c3ded7c54f04ef67d82a0f48f9
SHA512 d54daaa8924df61814b60eb1eca0fd39559e6023ea7d798544d3bac5a57aa8f10dba9ec33745bfbebb47237bacc918b3351b3c5b87c9e68b27555427c9c898d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6b9ef48ec77caf38ac4d8629c5dc7577
SHA1 029d7e06533bcef05f8008f2a3db1fe001333909
SHA256 77a41cc24f54ace72062be944aacac40852c3c6065d51cf1c80e0b825bf758c0
SHA512 238d268712bd0d7e8495a9c286ba9e9c541794375399dd890edc5beb44510da99f29ee82e0f14e2686926b6b81cce02b6caf3c078cdb358757cd9ea622980988

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fda17d5b63b4cbb615ebdefa45a17c4c
SHA1 b9846c7e33450b0bb612f3b8bb0c79163a2d6592
SHA256 00069698425051f406f99930af20812f769138de0c23815a4985a8899b864403
SHA512 49bb628247e6b04b103e583ee34b0d97c2b69055071e008903ae05eae334561048a5088a142e4c3832e2abaa3b61042b430b618e382cc029bbb1c501334a85b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\CabBC5D.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarBC6F.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59ce1d55d9b8c397dea24bbfbb7667b9
SHA1 4d21ed64b87b4de3a4ef598e077656edf2ffa4e5
SHA256 d7ff6acc40bacaa706911669a93592711cba9ebbf43b67357eeb0c9859701154
SHA512 f943bf8dc4fe63a7299359732a9fca0470fc61528f812969d4ead8753bb33d440302196bc2c7560e000b00e607eaf4cd34f64cf65e2a8070c7c8f0adb12a67ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa6bb32be74ec9e12c3dbcccb422e2c0
SHA1 cd921eb9e11759b1d0e22fd10f902a6c223203b3
SHA256 f59487090d3a2a18b615f62302f493512ecb3f8b8a70eb653974bcc071877969
SHA512 10f396424bc989aeb3cd91bd1129b713affd2c1bc1a5425afb48d060ce8cc63ddd56b29f7d7504e6a9f88d8e11545071e2b88b9a726499103b74b38696b38da9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 e5ab587c77af18788398997159a2893a
SHA1 69c970f7332cdd1563183d3d07c422378766cbcc
SHA256 078df8a16e9919e295df5fc7bb0d0797d390251f159aaeb01784384ca9f09e24
SHA512 96d591a5ccfdc7f594218d501e0fcc2494fb19fb3dffc05bc541b1bff0210ea62c746a467c255859df23486abb3b5e6ec6b9428bde6ecff8d7934a24d0103f5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3836a773944a4005590e8827465083be
SHA1 ee5baca7ab660f5c7f78d3db4ff2409275fe01ae
SHA256 865f85ee866eb63aab6bab09693f496ed5fbc703ffbcbde1eac1b2c900202147
SHA512 023d26706688dff6c32a14025f3a9a60fffbe390ee1531435612a31dbdafa70cfa5ac75c1535ed069edb852a1bc7ca5f095107ca05cd76ec0cfe484fce99199f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_C0E9A060DFB4E460CC3576DA89FF9A7C

MD5 6f3ac55eec72c1fe970d47adb458ffa6
SHA1 c64fecd18f0c83b5f38f3cfdc4c3a92a7c86e966
SHA256 cd73ccabb144fcaea270ada73bb355ea29ad212aa7b73aeee9f70a516c1b6d0d
SHA512 0e02a4f7e1481bf603873a8cce6f405365c773d51e17581375e5dc271a5c47fff9adefd2da0f4296bfdb43bddf4033681067501a20e4328033d9c550fce2f90e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\nds1[1].png

MD5 02c982265e63c204b11d8143af1da94c
SHA1 39b0a164762edbe222cebfde0b7a15dfb6189749
SHA256 655a0545fb2a1e573f9aa3f0d18b79ebbdc5f268492124f2de67016261b2b359
SHA512 e44aaa2cd6bd9747558fbc0f5060cf2ca3806f180fd7c41aa71e76bf8eb0a9898ec61705af0b1210442fda0b5bf750d8dad5bccafe8f5f2cd1efe3199f581b7d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

MD5 b25592ef7642ddf646d76f40d8784f36
SHA1 576f25089f479309348698cea59d60fd39a63859
SHA256 b43f983310a5e60910d15e3fbf561d817af8aa6fda37be28fa9fda2c6e10c7e3
SHA512 05d5417babe9256744ec29fd338e22b0cb405481b584487356de85c1eed830b4b089dbfd3fed97ffb152429cbe34eb265483e0511c6ac29a4f60c8f65ed79ca6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34a2edb537f4c34785afbca62cd3e999
SHA1 7f77ad57d71096c0a36df58d1be0b8f0272572ce
SHA256 8d820063a2357d5c810f5cd85f05773680812062faa0fdd0b57dcc0ae6d60410
SHA512 a67f57e070bcfab80fa6c1a7b2bbdcadcb407fec588888fae4d30143db6eaaf050402c932ebe348837df9e82e1f61dd8e94ac05fb3e8226e8c23ea0e29bc448c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0b180edb178e6c527d63a6b78f91796
SHA1 f1618fff2592649e1324e27f54cdb42e6a73b1eb
SHA256 c90ba8732690bbb261c00d046ff3e6ad807744aeaeddfbe5afdf80f2e6b39d30
SHA512 7f7168c2f4bb723f802d1d05b5d2a7c7e2aba9abf6e75047f08a2b8a7d739092222276b89608f63b18a33744200e03097af2b94a9bb045b14a8ec26998ab2eda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61339c481b5ed8fcdd1519f82b4f134c
SHA1 6786e00b279add09aafe27859a9014e8facb7198
SHA256 b570d5d845a896bff5ca36bd0302dc117cc931241f46792e58ce989cfb19c2f4
SHA512 fae09132e9627b8cd92283628ed4eb5612e8cc93738c2cb37cf507ae265eaffcae58fc283c1af2b80f0091a4ff605c7bb3e6bdab519141d2d3500df0dadeb962

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2985cef36605257d54653f4962d28b8e
SHA1 d4723e9df020bc35b1ea6a175b8bc59f810f2851
SHA256 c82009e9ee93816239be84b1bb249b501b139dc723f318ab8196fa3fa3cc5ec1
SHA512 8b67d56e74a3708e8f55379c59845b325e33ba4dbb2dcf456491ec78df10a8cffc4cf2de08dc40c8f8e1a122c26b6eea7ad3b2e94cb1cc73f5a6d5b364cc58aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15f966c594981baa2355958faf983510
SHA1 f15c25adc8206517de083d7df53c98f091fdff8f
SHA256 9115bc8650ca5c8aae4122a111ef99b8f68b150471cf66cf6a130a8f5794df3a
SHA512 8a2b4b409067027926fe83883155891b5d3135a317c086cceeaa68f55d7604727a2fe1fa0ad218cf406109fa03d21a26ec21b9d792f5e1d0795550548b87bf94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a929901bd3c10dbe329f1a0d88033516
SHA1 2229244c7b763df21e2f35fc4df82e92b86ba8e9
SHA256 2793aea7653dc2ecaed73a91fd1b5e2f3736cf56565a7b3c9d9852de44528713
SHA512 d429524b493297a3de1eccc6446dd72425a9b94c514046caf1b18498454caf77eef0ec0ff358c7f6ee1062c69ba664e4423b260165d02590f46b7f6c5243a64d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54cee37fc165a845e47acca97b081859
SHA1 a5b43baae0ef5fc933547db666711327080f95d9
SHA256 ccbc2dfbbf8d19e347385a716fea219e23e19b67d39c657b8da6193d2e608d77
SHA512 082d6f08dd77fe7dd0e3baf368b6753a7158038b25464e3f9474bc34cf9eaf985b7b190234f360b6fcf2c11435ef60b0bb32f2ee3c6a0966b129a299bb971723

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4013f6d9659030150f7232381c536839
SHA1 0fc9f3e1431973306c42d4af5c201e78edcb2b14
SHA256 4d4c03348c060bfabb49a9306c7d743a129aad7d4f38c4b62e1981e58bfe618b
SHA512 ec471de9b4b445c81449091ea8f95c43f656b6d91bed8492cee6aafd113a5bc71bd8b8fa2e044d568e6c93e06c7992b635b1c54485d33dc07705d4ef784ff0cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9efe3df93d368565f0fc82b73375b402
SHA1 e15eb7c3f9d145b6a5b5d5a1074250c23642f4f1
SHA256 c3bb4b2e5ccccdbcc8cee8ecf7c46d3ee19970b142ce6196f25e0e193e59cece
SHA512 6d89e1ea92fd69a3650751621f93c770a364a4c0844496cf19289f45aa903513a0c93f8dd6d3f10f07546d093b559fed6309601332967b8b3f1befa428813670

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{C9B778E0-F873-11EE-8698-5E73522EB9B5}.dat

MD5 642f8d1645d825afd64b3c8205913e94
SHA1 3bcbc12caa5748e470b596d68f375066fdc6292c
SHA256 003aa36a8da5a5bf66404db40b4cd51c92a95201458f8fbcd4b0841e82fcdc06
SHA512 28646307ab3f9e6fe1be05e9bd98db82057bd220b8ef179fcf73038eef0317da423279fee7779d16f23dbaee539fafae4e2ba9733d7bc56a3eb3e4e638e33c82

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat

MD5 8c030c032d1ce245a06516b1a7213851
SHA1 b12bf70ee7bb425e8754c56503fc78587826282d
SHA256 de8f19d0c3c190970cc67bb91f83415f3d8cf640389ec9a515df12909a4804d0
SHA512 fefc9e645e98d8dadbf12632c2d86da1a4dba75df1a21cdb6ce2086a2656dfa04e15f0b3c63c2de332cc6ea7b55480e97df6815d5f8a9399d54cd01067521f78

C:\Users\Admin\AppData\Local\Temp\~DF48F61EC382490B3B.TMP

MD5 cba697692a9db4940326ad86e145e650
SHA1 7735b1ae80de16c43ab3391158bedec27167e792
SHA256 0d2c39f2a4e8e428db893aea8432f81465219683bdda5adb7c9aaeb540c4f875
SHA512 b66f9a5faf3e3fe35ecfa07953050fa07c9065593cbf2880d2c488c6cc545e086f012012b462c0a89b201ddd0b59fc0e7f9504b113547ff0dd31abf0521af288

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

MD5 f4b38d79fe3b635e194b25967f487e9e
SHA1 e8571a900259f08dc820e85992aa21b8b4a98b24
SHA256 221f330376078b6c2d64b27588aa6e8108567fc53e02181388b924c6bb0194f5
SHA512 06624fcdbacdc5d48fff35df940a182a5ffa0b62fb12e41144ef3d11f4a308daea447af8fe317bb38c569357f3633cd007c00e29e82820efd9ba1df27cdfaf12

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 02:23

Reported

2024-04-12 02:26

Platform

win10v2004-20240319-en

Max time kernel

171s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1104 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1104 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1104 wrote to memory of 1148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1104 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1104 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2036 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 5080 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5080 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2036 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2036 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2036 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 532 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2036 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2036 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3112 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3112 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2036 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4588 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4984 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2916 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Nezur.exe

"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://key.nezur.io/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5148 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5028 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1cheats.com/store/product/41-nezur-key-bypass-lifetime-license/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5788 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5824 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5996 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6304 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6440 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6316 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6616 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=3876 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6940 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7104 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
N/A 127.0.0.1:49831 tcp
N/A 127.0.0.1:49833 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 key.nezur.io udp
US 8.8.8.8:53 key.nezur.io udp
US 8.8.8.8:53 key.nezur.io udp
US 104.26.7.104:443 key.nezur.io udp
US 104.26.7.104:443 key.nezur.io tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 1cheats.com udp
US 8.8.8.8:53 1cheats.com udp
US 8.8.8.8:53 1cheats.com udp
GB 23.73.139.33:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 104.26.4.38:443 1cheats.com udp
US 104.26.4.38:443 1cheats.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 104.7.26.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 38.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 33.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 use.fontawesome.com udp
US 8.8.8.8:53 use.fontawesome.com udp
US 172.64.207.38:443 use.fontawesome.com udp
US 172.64.207.38:443 use.fontawesome.com tcp
US 8.8.8.8:53 38.207.64.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 172.64.207.38:443 use.fontawesome.com tcp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 code.jquery.com udp
US 8.8.8.8:53 code.jquery.com udp
US 151.101.66.137:443 code.jquery.com tcp
US 151.101.0.176:443 js.stripe.com tcp
US 104.26.4.38:443 1cheats.com udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 8.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 137.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 176.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 1cheats.com udp
US 151.101.0.176:443 js.stripe.com tcp
BE 2.17.107.105:443 www.bing.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:3000 tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 m.stripe.network udp
US 8.8.8.8:53 m.stripe.network udp
US 8.8.8.8:53 m.stripe.network udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 151.101.0.176:443 js.stripe.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.26.4.38:443 1cheats.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.17.2.184:443 challenges.cloudflare.com udp
US 8.8.8.8:53 184.2.17.104.in-addr.arpa udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 104.17.3.184:443 challenges.cloudflare.com udp
US 8.8.8.8:53 184.3.17.104.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/2036-0-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-1-0x00007FFC05B10000-0x00007FFC05D05000-memory.dmp

memory/2036-2-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-3-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-4-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-5-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-6-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-7-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-8-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-9-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-10-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-11-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-12-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-13-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-14-0x00007FFC05B10000-0x00007FFC05D05000-memory.dmp

memory/2036-15-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-16-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-17-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-18-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-19-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-20-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-21-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-22-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp

memory/2036-23-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp