Malware Analysis Report

2025-08-05 23:04

Sample ID 240412-dbfegach97
Target Nezur_External.zip
SHA256 8288d94f7db9c1d99ec5bfc0ae206d28bc8489b8276d2b638ab50eafd65469f7
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8288d94f7db9c1d99ec5bfc0ae206d28bc8489b8276d2b638ab50eafd65469f7

Threat Level: Likely malicious

The file Nezur_External.zip was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Kills process with taskkill

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 02:49

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 02:49

Reported

2024-04-12 02:51

Platform

win10v2004-20240226-en

Max time kernel

11s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 3076 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 4748 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4748 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4748 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4748 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4748 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4748 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3076 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 3076 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2688 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3076 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3076 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3076 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3076 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 896 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 896 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3076 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 3076 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Nezur.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1868 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Nezur.exe

"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://key.nezur.io/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd148346f8,0x7ffd14834708,0x7ffd14834718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1cheats.com/store/product/41-nezur-key-bypass-lifetime-license/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd148346f8,0x7ffd14834708,0x7ffd14834718

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3412 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,17282308249568827119,14019861754216221938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10944376369173238382,9281211421175461599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
N/A 127.0.0.1:64164 tcp
N/A 127.0.0.1:64166 tcp
US 8.8.8.8:53 key.nezur.io udp
US 104.26.7.104:443 key.nezur.io tcp
US 8.8.8.8:53 1cheats.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 104.26.4.38:443 1cheats.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 104.7.26.104.in-addr.arpa udp
US 8.8.8.8:53 use.fontawesome.com udp
US 172.64.207.38:443 use.fontawesome.com tcp
US 172.64.207.38:443 use.fontawesome.com tcp
US 172.64.207.38:443 use.fontawesome.com tcp
N/A 127.0.0.1:3000 tcp
US 8.8.8.8:53 38.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 38.207.64.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 172.64.207.38:443 use.fontawesome.com tcp
US 8.8.8.8:53 js.stripe.com udp
US 151.101.0.176:443 js.stripe.com tcp
US 8.8.8.8:53 code.jquery.com udp
US 151.101.66.137:443 code.jquery.com tcp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 104.26.4.38:443 1cheats.com tcp
US 8.8.8.8:53 176.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 137.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 8.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 m.stripe.network udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 184.2.17.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

memory/3076-0-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

memory/3076-1-0x00007FFD23150000-0x00007FFD23345000-memory.dmp

memory/3076-2-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

memory/3076-3-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

memory/3076-4-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

memory/3076-5-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

memory/3076-7-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

memory/3076-6-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e1b45169ebca0dceadb0f45697799d62
SHA1 803604277318898e6f5c6fb92270ca83b5609cd5
SHA256 4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512 357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9ffb5f81e8eccd0963c46cbfea1abc20
SHA1 a02a610afd3543de215565bc488a4343bb5c1a59
SHA256 3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA512 2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

\??\pipe\LOCAL\crashpad_1016_JSCNFFFWVLXPATAO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1807cdfea20022a28fd62ee8ce12a177
SHA1 6f505b0df6696c6d0ce4b524d2d05f78bc5e0c6c
SHA256 750d4affccbc1b344cd3a7bbf963011286586989969352250df078ea0e84856c
SHA512 f801cbcdfd0710df47c22a270b85ca002d484ed551bde7e41e68489e6de69fbde0163c61c33bbf96869375812e8251d1c2644e4303b4e7e21bcb283f35464fe8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cbfd5a2561f685b95176a301e0ba4c12
SHA1 ef8575d41170047b4ddddb28958b2cdfd51e5560
SHA256 c26df6e44f329ea8e8e0712a09efe05637ba1231d7e77b49c97015beeda98bd4
SHA512 bce31da787e48a3c7cbf3f7c6f43aa24fa37cd8831fd088c45769e680540123fd60227f4eaa92d0a399ff901773671afb5b69b00d8f64d52443e75bf61518a0d

memory/3076-149-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 55d28c5aff50c6deac6206a20a211010
SHA1 eb861d1618cb5ac0528106c20393ad736c8121f9
SHA256 dff1e0081be1ed9a3b9431cb603f75e9894d92eb52fd435a587bac13d24a185a
SHA512 983f2e28182efb7bb9ed8b5b0fea409d08e31eb5d2132b2490671e62a41793b0a60bd1a3f02acd31e5b20e41c60e0ff301836fadb5b284313df77f349e30db05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d40c5d9ba7a05a4bcc793f67d9cded87
SHA1 c5c3cc077edf0ff7dc6a38dd6d0def45f13eefea
SHA256 d527e97fcfa016d7d518c754941661a0f65f65406a4aa95498c6a14cf9eca8a9
SHA512 8bf1ad653af4251edc357461d1638b3a209ccbcc8d32d05a39c5922894838e82b9a47c91f89e350e7cf9abd9418229d64583e8f70d394a50b4f2d136d23c3c21

memory/3076-173-0x00007FF628E10000-0x00007FF6299C6000-memory.dmp