e2a887bd61ab55744c97ace4fafd1e23cd19745059b60accdbcba78cadf870b9

Analysis

max time kernel
33s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nero.exe
Size

41.5MB
MD5

3b6ec03139d62b910464e2a1ac0f1058
SHA1

fa1d51d89d25a0ce9372c1a547ea739ae6f4ab10
SHA256

e2a887bd61ab55744c97ace4fafd1e23cd19745059b60accdbcba78cadf870b9
SHA512

81311d2ca4145f5f29576af61b17546454c87d167680347321fb7d8b3478ebf5882f5dbeb9d1207074be67cfccd91f4999b9c242162aea1c6c870a4cac3aedfc
SSDEEP

786432:fX05uUyvA1G+jyD+4iW1thZvC/yFSxplsNiXXA5p9R6:fX0Tc+jyhiCx4yFkuYA5p9Y

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NeroInstallFiles\\NERO20160815105321578\\setup.exe\""	setup.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
32	3944	MSIEXEC.EXE
35	3944	MSIEXEC.EXE
37	3944	MSIEXEC.EXE
39	3944	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Nero.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	PRQStarter-1.exe

Executes dropped EXE 4 IoCs

pid	Process
4508	setup.exe
2324	PRQStarter-1.exe
3372	NeroOSValidator.exe
4720	PRQStarter-1.exe

Loads dropped DLL 9 IoCs

pid	Process
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRQStarter-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nero.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRQStarter-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeroOSValidator.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3944	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3944	MSIEXEC.EXE
Token: SeSecurityPrivilege	3080	msiexec.exe
Token: SeCreateTokenPrivilege	3944	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3944	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3944	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3944	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3944	MSIEXEC.EXE
Token: SeTcbPrivilege	3944	MSIEXEC.EXE
Token: SeSecurityPrivilege	3944	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3944	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3944	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3944	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3944	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3944	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3944	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3944	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3944	MSIEXEC.EXE
Token: SeBackupPrivilege	3944	MSIEXEC.EXE
Token: SeRestorePrivilege	3944	MSIEXEC.EXE
Token: SeShutdownPrivilege	3944	MSIEXEC.EXE
Token: SeDebugPrivilege	3944	MSIEXEC.EXE
Token: SeAuditPrivilege	3944	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3944	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3944	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3944	MSIEXEC.EXE
Token: SeUndockPrivilege	3944	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3944	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3944	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3944	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3944	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3944	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3944	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3944	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3944	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3944	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3944	MSIEXEC.EXE
Token: SeTcbPrivilege	3944	MSIEXEC.EXE
Token: SeSecurityPrivilege	3944	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3944	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3944	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3944	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3944	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3944	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3944	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3944	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3944	MSIEXEC.EXE
Token: SeBackupPrivilege	3944	MSIEXEC.EXE
Token: SeRestorePrivilege	3944	MSIEXEC.EXE
Token: SeShutdownPrivilege	3944	MSIEXEC.EXE
Token: SeDebugPrivilege	3944	MSIEXEC.EXE
Token: SeAuditPrivilege	3944	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3944	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3944	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3944	MSIEXEC.EXE
Token: SeUndockPrivilege	3944	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3944	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3944	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3944	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3944	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3944	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3944	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3944	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3944	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
4244	Nero.exe
3944	MSIEXEC.EXE
3944	MSIEXEC.EXE
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4244	Nero.exe
4244	Nero.exe
4244	Nero.exe
4508	setup.exe
2324	PRQStarter-1.exe
3372	NeroOSValidator.exe
3372	NeroOSValidator.exe
4720	PRQStarter-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4508	4244	Nero.exe	93
PID 4244 wrote to memory of 4508	4244	Nero.exe	93
PID 4244 wrote to memory of 4508	4244	Nero.exe	93
PID 4508 wrote to memory of 2324	4508	setup.exe	97
PID 4508 wrote to memory of 2324	4508	setup.exe	97
PID 4508 wrote to memory of 2324	4508	setup.exe	97
PID 2324 wrote to memory of 3372	2324	PRQStarter-1.exe	98
PID 2324 wrote to memory of 3372	2324	PRQStarter-1.exe	98
PID 2324 wrote to memory of 3372	2324	PRQStarter-1.exe	98
PID 4508 wrote to memory of 4720	4508	setup.exe	99
PID 4508 wrote to memory of 4720	4508	setup.exe	99
PID 4508 wrote to memory of 4720	4508	setup.exe	99
PID 4508 wrote to memory of 3944	4508	setup.exe	100
PID 4508 wrote to memory of 3944	4508	setup.exe	100
PID 4508 wrote to memory of 3944	4508	setup.exe	100
PID 3080 wrote to memory of 4516	3080	msiexec.exe	102
PID 3080 wrote to memory of 4516	3080	msiexec.exe	102
PID 3080 wrote to memory of 4516	3080	msiexec.exe	102
PID 3944 wrote to memory of 4380	3944	MSIEXEC.EXE	104
PID 3944 wrote to memory of 4380	3944	MSIEXEC.EXE	104
PID 3944 wrote to memory of 4380	3944	MSIEXEC.EXE	104
PID 2220 wrote to memory of 4624	2220	explorer.exe	106
PID 2220 wrote to memory of 4624	2220	explorer.exe	106
PID 4624 wrote to memory of 2064	4624	msedge.exe	107
PID 4624 wrote to memory of 2064	4624	msedge.exe	107
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109
PID 4624 wrote to memory of 2592	4624	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\Nero.exe
"C:\Users\Admin\AppData\Local\Temp\Nero.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\setup.exe"
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\systemRequirementValidator\PRQStarter-1.exe
    "C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\systemRequirementValidator\PRQStarter-1.exe" -e NeroOSValidator.exe -c "LANGUAGE=1033"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\systemRequirementValidator\NeroOSValidator.exe
      "C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\systemRequirementValidator\NeroOSValidator.exe" "LANGUAGE=1033"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3372
- - C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\rebootValidator\PRQStarter-1.exe
    "C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\rebootValidator\PRQStarter-1.exe" -r
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4720
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\nero.nerobackitup2017essentials.msi" TRANSFORMS="1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578" SETUPEXENAME="setup.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe "http://install.nero.com/link.php?to=153998414&gm=20160815105321578&pi=32127"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C6DB7C2D005F0C2809D57959F8D7A50A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://install.nero.com/link.php?to=153998414&gm=20160815105321578&pi=32127
  2⤵
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x9c,0x7fff419046f8,0x7fff41904708,0x7fff41904718
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
    3⤵
    PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2484554559473035311,15444491719277623148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
    3⤵
    PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
10108f343d99dbb18c17c9feeee1beaa

SHA1
8413425e1c3d2fec0a86bb25d480585139be5b03

SHA256
72d4d9d9cfc1041034c5d543b4d4748abe48f64c10b5c0fac486844d96bc4805

SHA512
1aca7f876094e0d94bb00d11a4dc085397ad997942b4bf1a59f8f73738cd5d721179b4b4d3ec39153a236be0a74903bba2897eb057b74f84b7d74e793f8c6ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D39B4B65_3692_4292_833F_2C81D15845EB__11.6.0.22__4516\AdvrCntr6.dll

Filesize
9.1MB

MD5
38e7452a37c4473c069abe6647331429

SHA1
40ac41f58556f787d6c5720260e0f596606fe1b8

SHA256
fb5892224ea37f1f77ee48db323a28a76b9b549b69e827c91edecf87f06f7612

SHA512
a93d6398815906545496457511147991f661984850a13306e9c6ff1a7e9768a25d88fa6f677b69f2b3a224cac7b51e70f8841a57e833d073c28e9a866510afda

Download Submit
C:\Users\Admin\AppData\Local\Temp\D39B4B65_3692_4292_833F_2C81D15845EB__11.6.0.22__4516\eula_nero_ko-KR.rtf

Filesize
2.2MB

MD5
f8ce6c200fb81bc1af588fdcfd97c048

SHA1
f8ce2117332e50d0dfe5689ed38aebfd9152a6f2

SHA256
4e676bbdac3c07877fb3b708ce586a59ebc9108ef799c42dcf99fe43e5aaf53e

SHA512
3bffa6ba03006f56f8801590f5c1a38fe5512217f800d1718fb91390978ea6aac87bac6f6fc4829696864aca43bb77809e99fab73b8c3ed7aa1d472cfba3b35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D39B4B65_3692_4292_833F_2C81D15845EB__11.6.0.22__4516\eula_nero_nl-NL.rtf

Filesize
241KB

MD5
3c265d2bffd5c74a64019ec393a78ef5

SHA1
8d05b7b62a7f81506b16170e626df97b50d479c6

SHA256
dc1e5c9287b6a3f9c4adee3f7ab231a771b4cec589aa03faf925f1f8df15075f

SHA512
6e7d17336c100926e1d7e56c5d587902b526477155a3352ac92e4e84788174559b401ceec320c73d2e26155085ad2adc300ed538c8c1a384f84ba5bf0440ebb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1F1C.tmp

Filesize
1.9MB

MD5
498f5ebcae4f00981a601879d88c6d44

SHA1
98b6936b816c882fa2c3873eb6bd8dc67631da17

SHA256
7778fb9a596d9a3b49b642530dc06377284a2c99c9c3c25a00324cf258bc60f9

SHA512
df17f33969209a901d3990dd6f1554df05cea5d2e58515ad516e9008d645fb68f5d0c29f841e7e1cd4a7db285c9bdfd5e5affa7c1597749443fb7f751b863a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1FF8.tmp

Filesize
97KB

MD5
b2a18dcf9668ae6b39e7ac02f0917378

SHA1
8943148bb1f0642fce269db02548fc1252ff3aa6

SHA256
eaa050f1a41d238f9b684392d13592b49738c9135031356bc9bd8cc0593946d1

SHA512
85369132e49d88076e8346d632260bd0df25e8017d6f7a0d353a1bd181615107fd06bd7e3c03057971978afb45fdafcbba2321316a21ac0a8cf27254f621e32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI21FE.tmp

Filesize
2.1MB

MD5
a3f3c1931bbbf7707a0069ef13d0bd4d

SHA1
d2eab245e33291b5cc6731ed2d38d07eacb53eca

SHA256
c09df190878f2037247cec72392567ad56b1c2439241f8fca1fd284d66b8596c

SHA512
3226f088571fa144b4c8cab923d2fe909e1c77765522703e3e7430dc7e98b683167a906d4be39b9d3dd3b79c021f4dbfbaf6351c09ef2c3b6225078b737eb365

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\0x0409.ini

Filesize
13KB

MD5
758747727e96a23c7c5a5bbb011656e4

SHA1
51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9

SHA256
bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825

SHA512
21ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\1033.MST

Filesize
28KB

MD5
59f99f9fc53eaaeb67b2064b31b07786

SHA1
4ea1ad4786dd123a12095ebf35f905d0da2d6330

SHA256
16b052fb447778274a3427f6bdb4e0325bdd30155940f1cae5112f7aa75eb394

SHA512
370ca5057050ed3e5b4ef1a28e32194f5ba102a390ba37a439b878aabe334f6a2ba58787daaf44c07749664cea5811e321afa14bf3a34f23d5ec3e7289cb46d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\rebootValidator\PRQStarter-1.exe

Filesize
2.0MB

MD5
8ed09d8640befd428ad548b7e4a4ceba

SHA1
e6524a518bad6c3e296a3020804cdcb27a30ad35

SHA256
7124c45489469a8dad50cb6c44b1580154e610058908dddcf01b9e82e0f58ec2

SHA512
c662205ab7ef5875a72895380686c095922c32d4f5c6a0d4c062701150c5cb3447cf8704ac1793470ccd0607151bb5d00dcf2b0b05d3974a365a0fdf640e949a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\systemRequirementValidator\NeroOSValidator.exe

Filesize
3.0MB

MD5
9e912a3acf6bfc231ed710a9ab565b4f

SHA1
36fc4a04af67a5b3fd301e748d918a4b63f22a13

SHA256
93f10fe9106048fbf59e1be34de4aadca9379bae8c8c3575861ddafe988139df

SHA512
c6fce52b9bf9a434d6dddee172861b56b47c1b7156f8ee0fdc0bbac1778caeadf4e4c93de6f5313541925ac2642afbeb5329a3ecdcf62c2d2a5995eb479dc3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\ISSetupPrerequisites\systemRequirementValidator\PRQStarter-1.exe

Filesize
2.0MB

MD5
a2adfc3fadee7fe0789c32535155ae2d

SHA1
49a098b798d6dfbd0476181a0b7fda37e720be1c

SHA256
3b89efc34c0f186fc40412c98c3623f7584a23770e57408de9cdd1a4c74d0caa

SHA512
1ded02d4cb066d85e4621a853d68807e84ab7ba8c00cd685254fdf5e0ce6bdd2f410165cc512723b83f385f369e1892b85cff903332699a7828929952ec488a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\Setup.INI

Filesize
3KB

MD5
fc022a8a62ea26e508ee543f64d7ef2b

SHA1
893cb3e9974b12804019e4db5caf82aa22602751

SHA256
9e84fba3482d9f6e189e8aa5f0ef481daad078bddc5111cbcbb78a6040ab087c

SHA512
026091fc1bd1199b187fa7c9530256e16ddb935c0a118b9648298f78631d37ddbb8912ec6eb8fec5e4804c02136f8e17ea2343c9219075711a4575a0a74eff53

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\controlcenter\1033.mst

Filesize
32KB

MD5
fb34a4020bbff1410ebd19431c71624d

SHA1
dc4c64832084aa940a9d00dda6be945b2a5d3f8d

SHA256
c717d9305207b9643d314ac8f8db2a84ff43fd2164f6cdb57cfe8deb408e965e

SHA512
1803536c1c80ea810f6eb8ba8eb10f354c65376ecf41eb78245dea07f8924a1db3d323156b4d2e9f684ffd896a5cff558e9c97aa4f12a94a2f86d2b6e7ea6c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\controlcenter\1042.mst

Filesize
104KB

MD5
022590a1146194bd0674bff167063907

SHA1
e75cf9e20bc56d07ab9d0fc8159491ec35f754ae

SHA256
3b5de8dee4110707c3e978eed0bfe10185b13fe7e8e54a4017639dc444444518

SHA512
93807731ede1d549d295a1c44fa5c7017d5d5313ff5f31b3f8e6d795e7d82fe6ff2eadadcf3c4358229cca361e2b1f09116dfad56db4d591580b9cbf7897ddba

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\corecomponents\2052.mst

Filesize
88KB

MD5
390b04fc18f76f29d4d142b59004b83f

SHA1
19cebaf0c02cb86e4cf17e4354d9096a55342dbf

SHA256
2d6e56b683840cc9723683f881fa19b6170828aa8dce1b3f76816360946e7d9f

SHA512
ec42ca183f63e0be3a55d98394d2cb8b35f1e1b10b8c2f8dda376da698d6d06638e258a81f54d373628abc1ae51197ebf38c5d17ed423cb7e90d963c2b515731

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\corecomponents\2070.mst

Filesize
116KB

MD5
28e5b036abe6149faa135cbee2d176b3

SHA1
cd07e8d0e21d4abeed303fed3bc7e3022ac6cb79

SHA256
961ade56f4529579069f4ce0bd62b3386b76b25e21c1708f9f2c6e8118bdd838

SHA512
7cea54e3ae8957c449b633c0cb590a8fc5028a9ccc1502740a3d259a021632b564afad1633b8a2e50c05d52e3ab011ca7275a611aeaad65e03171b60d070313b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\info\2070.mst

Filesize
112KB

MD5
97b03306c373593844a6e04305329855

SHA1
ac207493c87f063beab476be590f584cb3b8c0bd

SHA256
dafa64da3a25ed15ca52f55a2fe8391b19d35e66e9388f42a63a626b24ff6405

SHA512
3e3b9612a5f53c91dce96524136ae66ab7aad75477da0ac850cd6f2ebc8c0f170ec75cd91d2e28a8eebadb27a9432c012b6810e53b1bcdeab014d1cc8a7865b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\prerequisites\1031.mst

Filesize
120KB

MD5
16e8409c53af5041b29a27ae289d41d3

SHA1
f4f8a78a17f39b618eff6c57ed30a9be6ae38b19

SHA256
d6afeaf5ddcc7bb00ee376820046b0b753780e724f5192665bec6005e4b7883c

SHA512
4e548695902c2549fdcd8ebc174638eab438d6bf5405211bb7fa8f67ee61718f4b726cb07b17b9326b11b5c896bff2fd615ca202ad1b8de6a4ea2c22124b4fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\applications\prerequisites\1042.mst

Filesize
108KB

MD5
fc5b073697b40d11939f9f31a38ea5a7

SHA1
8a374feb136bfc6d6a076f85f6aa32374240eab2

SHA256
c9df484fd25feddb35d4ec9b66389ed9bcce5b44eb50e27c37101cf388662a7c

SHA512
1b8c456f1725558786d639fb6c07befffaec114ea51946efcb1259bd2a2babb7969f0add9a79db04dae72fa983024d385497f476f4a5865818566fa2a9055fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\nero.nerobackitup2017essentials.msi

Filesize
26.3MB

MD5
aba3c2b25577196145e534e5aa139116

SHA1
6f8af91b382ccc60456db47570dcfe8792aec988

SHA256
432dae3b5c59f2bf9f20d3bcbb5f3d0459164d80984f93bee3dd019982be0a5b

SHA512
b4aac669c1ec57db84b40d7c4de8eb33bdda8f52564cd4785cbde4c3502eb84dda4cee6a11125a7aa47a5811a89526968412674e6e060e2d08c90aa1467dbfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NeroInstallFiles\NERO20160815105321578\setup.exe

Filesize
708KB

MD5
a4db1f1133f1de61b6dddc488e6c0618

SHA1
9478475285dcd2e5b2087fd5bbbfffc1d87a80fb

SHA256
0d673742fcfa5fcccce6e6d9251b94a6bfed6f7852c7ee809641db65e2e4bb6b

SHA512
fc3c4aa6613e56c5dd7815307e80b289bd46ac8684257af75038f26dbe3958863362e5f6c9e657aad0da5bfacb3445ede0a1cc65ab66f587dc99692d517b5d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRQStarter_tmp.log

Filesize
2KB

MD5
838efcf9942ed92ae88810ae99dcd810

SHA1
219af853505c4b1ebae266d17c5b611e30b815ba

SHA256
ecb30a74a33ee2fc78c7a4f25ff8f2fe6eba82ed0ffd4a48ddf6f85acf0b57b2

SHA512
9924aa878f357e930146c5b5e5be378b7ecb416a5f6ff63588b139dd7fa9931eee6a562f1957fb8f2ffc9274c1800f7ee105af9e87212111d463f7ad8e7ee90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11FDBF35-A585-4A5E-A217-0C7E80532567}\ Reboot Validator.prq

Filesize
879B

MD5
7e6584cb794d710c33636ec783e8319a

SHA1
d313a131f72dad5f965d36e1dbfb4a9704b2623c

SHA256
2f338ab881ff24e316eab3e02ea78f00e89ff718edc589b9f186b7ae7f412d31

SHA512
10660114f17ebfe46bb77993c64104fc10116f379ed6d35eae3b95a41fd3b005b7fec8dce6cb3720e22e57c36c6ffe9f5eee8fa428d56c8634073b59c4cdb7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11FDBF35-A585-4A5E-A217-0C7E80532567}\ System Requirement Validator.prq

Filesize
1KB

MD5
6b1b5b6a2bd2480c921362760bdd2972

SHA1
bac3e9e4d737a870dd394a1518f99de41c926369

SHA256
f72403cdbf7ecbbcdcc817428a6d60d5a20efc62bc7fe2b479ebfe9c9dc7d591

SHA512
5020447dfb39e9cb3caf4bcdd97a867657ee1e39ff0eb0b0c6d0f467c3058f31ae4f044b850df1856552d439abd390be053f4002d3b01d7cecc0e97036b469d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11FDBF35-A585-4A5E-A217-0C7E80532567}\_ISMSIDEL.INI

Filesize
22B

MD5
8fef5f010ed3aaaf74d3214334be4088

SHA1
fa90e59e675de66d246d697a868edca1562f9d30

SHA256
55fa3d1388e8f2da8e7a35a2e809ca5924077a3c40eaee561c1e3686809f63c2

SHA512
c2a5ba5c311c016779a3024ae9600b29e718afe2b01103206bec72719b5e0e47bb1096cbd3b389b00a0705c565800a740a7003e4f8705e00fbfe0f2e2d3318d2

Download Submit