hxxps://cdn[.]discordapp[.]com/attachments/1284700959355830322/1284702554365755443/Nezur[.]exe?ex=66e797fd&is=66e6467d&hm=9d5a36c324ebd1c143e1a32a7f32eb3c76e9c69bd05c5e0a68a5be2b08ecd7e0&

Analysis

max time kernel
244s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1284700959355830322/1284702554365755443/Nezur.exe?ex=66e797fd&is=66e6467d&hm=9d5a36c324ebd1c143e1a32a7f32eb3c76e9c69bd05c5e0a68a5be2b08ecd7e0&

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1108	Nezur.exe
1616	Nezur.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
1	raw.githubusercontent.com
11	raw.githubusercontent.com
44	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Nezur.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Nezur_External.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 36922.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nezur.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2616	msedge.exe
2616	msedge.exe
3800	msedge.exe
3800	msedge.exe
604	msedge.exe
604	msedge.exe
2760	identity_helper.exe
2760	identity_helper.exe
4704	msedge.exe
4704	msedge.exe
4676	msedge.exe
4676	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 2916	3800	msedge.exe	78
PID 3800 wrote to memory of 2916	3800	msedge.exe	78
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2984	3800	msedge.exe	79
PID 3800 wrote to memory of 2616	3800	msedge.exe	80
PID 3800 wrote to memory of 2616	3800	msedge.exe	80
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81
PID 3800 wrote to memory of 1116	3800	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1284700959355830322/1284702554365755443/Nezur.exe?ex=66e797fd&is=66e6467d&hm=9d5a36c324ebd1c143e1a32a7f32eb3c76e9c69bd05c5e0a68a5be2b08ecd7e0&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb0cad3cb8,0x7ffb0cad3cc8,0x7ffb0cad3cd8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1776
- C:\Users\Admin\Downloads\Nezur.exe
  "C:\Users\Admin\Downloads\Nezur.exe"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6940 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,13792350778361180922,3843668733913470128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6600 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:904

C:\Users\Admin\Downloads\Nezur.exe
"C:\Users\Admin\Downloads\Nezur.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000047C 0x0000000000000494
1⤵
PID:1108

C:\Users\Admin\Downloads\Nezur_External\Nezur.exe
"C:\Users\Admin\Downloads\Nezur_External\Nezur.exe"
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
1024KB

MD5
e3726be5903bdc3e755a9e49b13b4d75

SHA1
5bb50dda728ee519d473bc9691878ff2dd113082

SHA256
c710a0335a5fa28c7c208872aca114129517ff48ecaf6476e28ed4f52e3a32f2

SHA512
e51c2a02621075920a8a4b9584457d3f3ebacb70ed3709c105c53933781f2fc1fe682fa114b3b5a242cec1429655e392222b962f5923c58ee864089ec63234f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
1024KB

MD5
312d78d27a06cee1223563ba4b0887ca

SHA1
e9bc03c9b4c6648860a4b69ba982516375390be9

SHA256
e670013f79524f44843c77d418d7321a04c38367b7f6dd3b7aec7f2c2a7572af

SHA512
333ee385de4981614c3f75407fee69b7eb6bdd007731af99b43d0b948fbbc261f473066b1a91829bc499630bfc471d52cd0ee58e83aeff45f446fae5a5b9cf7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
1024KB

MD5
36fc86497b5b47cc031ce21ac137d566

SHA1
77ba420b1cdf51ebcfed9dd031d1d0a9c9f116db

SHA256
62df18f671119333688a9fea0693b56773f0366009682c72d2393dc329b2802e

SHA512
968013bf0eb2e758095cafc6abc4e4f1f061c0fdead456bb1521777bc0c28bf1cd161b8786ae688d7bf8f302a70a36bbe43e2d15ddd07f1716f0cdd096c6aa91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
1024KB

MD5
7ec01e09491fae7a17fa096bf431d04f

SHA1
084bf57c16848f1d8167b09fd3f4418b0de7cfa2

SHA256
07bb6768dc38191f0659f22478d80ed9d24d2a6b84a7f3e78e0d32bfec78c751

SHA512
72ba70222d848f7dc45d8fb0abc7780765ca31d77849658a2cfc78b188d4642922a5cb1c437c1d5984e013d70944bc9bbfee26e599212ef89b7e0ee6eaf2f1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
1024KB

MD5
2991ed7d6e0f6cef781b41be1026153b

SHA1
35768823f8d42f8ac7421a2db8ab17c78fa6ed1d

SHA256
8890fe5a8f972c0b844db1a8837ae33cb8cfba13244b75566ecb90d54fb454fe

SHA512
18c7da9cf991178514812404d9b92c93a52c3390f24e4d7a5d4b2a9d68e81fbd2e98fb13b5abba0f063c410a7a961d454e5a8e1d389890cd14e03be06bff036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
1024KB

MD5
4c186bdefadf200b9ac1bbb9856d8844

SHA1
3bd79494c4660cfd3b1ba5db7a77f2581e62e2d8

SHA256
324e1dad5e00ba645faacbe270d4a0c20b8e107f26b77db4b92025128e5faa4b

SHA512
0012aae12d5b6129d3db5f11ac6ab28c1349918f72cc26e1c2547e67fbccfd90101ba9c7fde6a7dc7b378cf9e25b1266a5658bc5baf77e09ebbc683bf5d7a1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
1024KB

MD5
4f4528c9c008b046a973d6e48c0c38b7

SHA1
91571bff69b1af1df2e93bfa7e60b0a08c1e9081

SHA256
3cc9d69593fcaf1a367e19718a736edbf2c4be0fd566f43b365430512e6c2581

SHA512
eeecedf96821cd6d50fbeee72ab4340339336c476c508d26e78744c44d8cb0a1736bb2181c9b0a75514caa67bceb51f22b0c012c2b3fc71ba41e8fb86b33e652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
1024KB

MD5
25ba347cfe7d7a5183eddca5946e7b08

SHA1
ad298d87ce0311c14d69cc3bd7210c64d7026679

SHA256
9f32fcc7c39d123785ca1ecef16b8a166b202560cd5ceb8caf15b0b8857cbad4

SHA512
3c956860d8abbcb717ebf0f91815c95e599a0a86261f4847ea60e25a2fb52f92c2e2e234fb199a219bc9caacbbd745f9f82e6c0b56b3237757f18607d5bf05cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
1024KB

MD5
96307038302a630b3af229c387d19f2f

SHA1
809e0c51574d579c0885ad721864759799a5f6f0

SHA256
655d6807c60ea8cbb2424d67bcf2c5835f77d12a88350efd8da7611965980cc9

SHA512
66883242228172ecb0d5a801281e677bd4dbbf5589be4c8d44a5e586aae37ef8c016e7aaff8d20cc6209558376595345c411c50a6551a10fd64c7f18952ac7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
1024KB

MD5
28545a8594e09e42900a813748da507c

SHA1
cb4c530b762e9b77719ac7a7475f44413f444b4f

SHA256
decad27030836d75918afd5f61aa66adaf9e4d2f7fdb88c4fd2dce8b192eb367

SHA512
9d01774b16f6ade321c007baeb907a9aa553be4f2ba9be025e0c173e934504e51a918658badbc8eece32878df62b97b4fed2413f02a19d5335a6c05fd90b8a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
1024KB

MD5
e939686d1b13ff668463fc40ab24933d

SHA1
fff26873fe5813ba0e3496cd196a1b4a40068a91

SHA256
bd3eea5151765468c6ff116dc9fb6dc54c09b8fb034414a7203b43c7b6b6e786

SHA512
587d32f3fdf4f7df2f793050c6632a840517841006ba4791516a6b3043cc7985ee52f000390c780b042f3da8a5077bb2de924f735d5a4f1269a6aaf9ee3093ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
1024KB

MD5
623915455103bc2b9dc84822f900b480

SHA1
dad4e7dec435171dfd501c8def7f493727f9af4d

SHA256
2d50d700c25880fc838b80106a94f04f391f5180cb59655cde7834f1fd55cee1

SHA512
1588816cf6f16a6158a8d459f8699a1f2e39d05d424d77ab6151208bdfbfb44455301d7a5877b60e92f4c63808fb20306ba09ea23e2226d74478177db0871f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
1024KB

MD5
830d964feade2624fc5c5fe85b70d0bc

SHA1
85b9ffb8f5618217974207f6a601c22c8c8333e0

SHA256
8d4be961405adfaf1e80d565ce42baba337a2deb06de55bd83a8778548a2aa19

SHA512
6a998cfc05202bfc1f8130427d6d92157cef9e901b92531a026f9e38d20fd60e11bc84de82bd69012227ff04b1f6949a031b2bab35159fee09f0aa22f58c6ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
1024KB

MD5
05e9593ab4b8b7d7cdd4a4b9a70de0b9

SHA1
d7604f8d6a3e4af51edd65a941cf19852fe8e916

SHA256
a103975f91a91e69852138dcb4ac101e3120506b1ff02c9507b7bab0e232703c

SHA512
33f3a2a2c04665dcfaab727f0d3eb92d72c37422281ce44ff2c2bb610966f794472f3dc4d45399a150a4a017eb831d4ab51f280818f77648886fe735df1dddec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
1024KB

MD5
3706fdeb518318733f614c5affe8ff97

SHA1
51f6fb7915e0152dfe45a6c3160c6d94d6c3c570

SHA256
b1c78a5493d2ebec39bf9ff2cac65726d6f0ff38cb34c5381e7c30e2040de95c

SHA512
afee34e08ecf8b17e3a9cb928445adb5e86ee57f72007938d825b4d944525b53d467060bb130552c39f1ea44c5539fa31e624be3e1c4377d635f9522f70fda46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
1024KB

MD5
3d9aa41eec5c5c829aaac25b1530a3b7

SHA1
83850e040253d6bb1438041fd6c6e2b3cc2e70aa

SHA256
517a1747f778ba041725d8e4ccbdfe1bc7560fee2942ec2ff594c9f566abeb91

SHA512
0deb5b44f165ee83bd9dcb2a18a7552b987da2cdd151b026ce9a7d02a31d2efbe386e4709fdf104b563288f756fa12249248e9224b3037b71508f0a12cae50d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
1024KB

MD5
a03b564974eed51f7201d10a02c12389

SHA1
4984f62d1ea00056dd9bdccd31d9a52c8309a542

SHA256
80e071fb79557e188a58c8ea1528596c1c8ec36ba6760cd7d65a1c7b5c3284aa

SHA512
88e2bb757566de259d960fd362c6ba07846bb6e692d3fd0dd92e7ddb9209c77466c2ff8e2ddad3d2c12654708746b05a98a5d77296e1f723845b8e3fb95bc78c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
1024KB

MD5
f739088e751e2a5b47b02790cb04537a

SHA1
8580e253008e39d1dd71dadc881e489352e783da

SHA256
f4a044fe7c3b29cb6f0ecd8d0cb98cab209795b19432862ae526df1c32454909

SHA512
1cf541695afb8341c99cfb37af562549de9fa37086d52e84b7e3f192a9e45105aa85b8afd35f455d1c3ad5d6c2400e4daa8d1d5c4d8c256aed28feaa098d7d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
1024KB

MD5
4c88a98d83e1e016602321d7c9f10271

SHA1
d806556a1c3d173c5fd9d8d4b3f481f54e5b1475

SHA256
cc517d1bd8762e6286c31df1a7be023633190348c4af91214bd31f9a7728c682

SHA512
fc7f6a972940887bc3f91b6a67c1c701dcb25ce43b57fbb49fff1891fc270d57b35c74199ac73d7cbb3ed212713063bae88d6dbda89395c685ba701177655f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
1024KB

MD5
c94d1568fec78ace0a8ee374431715f3

SHA1
e28472a22100f1bcd3cd98bb2a974778318d5b8c

SHA256
ecc5749d6517c2c86b86ffffb020024a02eadf98bed36f4889ffb0ec935b70e4

SHA512
af9573a25f9ba41ceced539a82b32df69f4193b91f21c5ab3d6740e8522e7e045b5c4f50b6a5c6a16846fe1d30e2391185e5a55723f24a24bff4909169b077a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
1024KB

MD5
0bb95b771e0fe281ec3ea918991ddb13

SHA1
8e8a7a76ba7bebc128dbeeaa65073e97aa0e920d

SHA256
e1fd5a3263aec39fd895722d3cb258bac856e7ee5c53fdb771ffd2fff817f0ce

SHA512
764d6b5aba4a174a095b189ed7c6ebe972a9c7d660a5c4e42de2f61f1ddc539ebdd8fe79c15db76a029be23e3e4e235a6b1b2446a1fd62b27ee1f69d32e4c2bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
1024KB

MD5
0df640709faef1238b9dac0c1fd9841d

SHA1
11d24c376877d902619f481c31c61d4ebdf3dedf

SHA256
038a887a85a94ff165a4f9559ebf5b718ec4ba9e08f37297ac5da016840b8bc3

SHA512
36706b422f803878b301a884d0ba1b06d80b1f5084b0fa8e56ddaacf840c2180d53c42cdbbc8417d051933d16690ae94c28b45dd6315116dc460c427e1f42154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
1024KB

MD5
ae78984688bad532c4b71ec4da822f3d

SHA1
64ee212978d5a0fd7578f380a50fb6f6ec0a0ca9

SHA256
17f2e5d353360de2bdb79616bd05d6cf9a96f09e949ec3c0de4abef71fbefc92

SHA512
6f1303cd2d05f551859cbd486c81377a47ca3d2da9ace7a85e76974599f8666507bee8a08764f493e416185d5e2c8477c0ec24969a4bb25146c7005422c35aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
11ccb731fa9bd02dce86c608cbf3077b

SHA1
32033b51bf2d523a5d8d93ed5dd914872e92fb89

SHA256
6f7c816f8af18e42540543c0ef6b0a5f72a842e6bf5840632d1371b6d26dd1cb

SHA512
603ab14298f0832263e64c6db435cee821dc3db17e5ba09c6a0734e115ecbf4e7a2df01bc6a7ef42d876d106fddf5b830c70e21f47af5e6f945f8ceafc328107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7edb26d6e82904a993201d4c918bb359

SHA1
a778beef1f47dbeca4b612068051dfda16bb9eda

SHA256
34709e51759692f03fa32b5a68980ad2819600276df6c241799917e85140b58e

SHA512
7528528bc1237d8b491b9a71c5c55a7f512d1801300e4b42eed92bea3da45583fde7a490532b6ec384b86d24677d6c358da44fb39d6c35b8c34b84d556842c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
72be6a04ce39ad3ae91cbec80fd74e10

SHA1
a2c6019c5549284232d4ddb3b40a8eda6d8e4add

SHA256
7d14279a49229558c79ab545f7e5c694fcc44109ea0a315b7793c4cee15b5158

SHA512
eda1bdf5eabe18dd0a9c49dbb10d186afe11a7788520e17425ecd732c23646327bfb0bac8c65ca2639a45225c39ab151f4029abcb38d6ade21a684e840362134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e41b54eef553997825cb947513656dc

SHA1
0e0ab6b5e14aba5cec8e623be99c8f92f8e4e83c

SHA256
d5e27aa7ced90ca3539bcd050134da73dde3bc52f7a2531f1dde2aed57272024

SHA512
3e658a25ad9b58f3aa348367da3e8b55340dcdee27c45b74624e62312cf5d2ff278d5bc861e43d87d41fa8c8204c64fc6a6cbbbb6b860a85ce28c7eab61b9b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84cf0aa9d7b8ea4c7b50eb3530839d9c

SHA1
5909a54d93375932080e00e5514754cf3fb0f9cf

SHA256
49529ddf9aa9130ef6c704a632f458f83782e348838c3b7cbce3975146a8486b

SHA512
dd1eb3cf6bf236ce6a7d2e8620dafb46fbc52e6662c2f9acf5bc8e6f96a25f45324f754f7d35b28feb8acd298e5b9ea46be353d3438b60a91d188c0debf790ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f4200c73be594ccc820bf168fceab954

SHA1
aec2846c1208a57db03d3f4bb0fb7da85ef1cf30

SHA256
24b4d89184f0ede3739351f18728c7a75945ce9422f8a704e239bef02b3bdc98

SHA512
c3f473e436a9847962d27638cde5c295dbe9b4c720e607e876eb15be7c5975a7449da11080157c34acaedf3922f4959e8633b2b0b19d0c041e155f1f112c70c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3732e6d4d32a65a28fb752f9e1cb1cc2

SHA1
914af103b3e8a7c7832243c057e4c7d61a93df77

SHA256
66fc7fa0fc537ed747094c9765c0e6e29e39e721ef1903177d53df074b9096f2

SHA512
4e74f748d373253587f4cbd266f4b82a33b69e8fcf518aa7517d18bac5cd60d00f23db1d3e08e939d639ccfeec82cc400522d7440b0b5d0a96291db922d56146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
8b0dd6449f041efa81d85044be3d6501

SHA1
c8e3a413f0c40ecc79266e103418690ad8fe659b

SHA256
5f423f37af8a19dabd54d1e6f0a3c62b6a283ed9e26afd732cbfa68f427f0998

SHA512
f869c341820247a1c6c0f5525cdcdf2d88d6862b916ae5e491fc3f3d0a160b5125c3ca02234f2897973dba3ed6f04b0370d31b67453996fe2a438113111891a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597f29.TMP

Filesize
370B

MD5
0ff7a3a9cffec0a8f4390df3f302cdec

SHA1
ec0a0261323a83034f562b523e89fbd9b94ac50b

SHA256
61f8d2272371b1386b1aff1b0222b27ca4264f95863ce332b828c439781e4440

SHA512
eb205ddaf9d02832934502b9f85fe0d1f9288a721e93e682c50f5e4af8ecd3fc3b8b49794ff924c46159879fad4211b80fc26c6f067562a344c96933d328441f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f96a964041838dc3c2dbf008052a0db6

SHA1
bcbc4c7575a3806187c0fbd34e6bd3f09787db9d

SHA256
a42f49cef070c0c13890b8e661c439abc42e61cb9510355508bb7f4cc11b3636

SHA512
5937deb3401b977319e8554a5c305bf00a526dfb2b5d35cd54d955492ef49f295e98d772f22624e23eda6ab2c162a93d60ea61f6c1c40f2cac834ba93dc7f350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a81fa435d25b404103ffd154a270cea3

SHA1
6642f8b9ab8a6afea71f6f9dc2cfe9592b735b1c

SHA256
9e6835055f98385854a7ab79fec8af05874b17ffeefcf8d5077079bf02aef908

SHA512
7fceb0b06befa5c0034fd2a19c8ec6608868d4f6ecb3ed4fc275d45866f74588fdd430463d82a08d20dcfc46cd6bfa8976ac36b6d7de2b54c1d4c4cab422c3fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78d59bd938a6814e8355b1e1423cb10b

SHA1
ccc45250920c942d196b61b3da8de348e29d8565

SHA256
66ab61937916d5cbebb41b8d27abb1e491fee2e7ddf9386c4c540d416b274a4d

SHA512
1402813e4bc580e8a3d2e4836ce3cf98facdfd29e4f4b3276ae1ba9feae63b512753c2e2a32063f011909d24756f7b4ce1e81a57be84216e2727c68ac6eb112f

Download Submit
C:\Users\Admin\Downloads\Nezur.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 36922.crdownload

Filesize
3.1MB

MD5
934028f83301e5a439bb0cc9b3283cbe

SHA1
b36a7111fa6f9aa47f35f7b3e41571b4fd554c0a

SHA256
bede42b3862c940a9add2a590b404c732a31ea4a03d4ad8bbb87ef0e4046d033

SHA512
843a4dd6ebae51940bb3e1fb06516e2060440d2053cafe7888a8a151e1e27e5d26f8b46114279248c9a0339706d6fea309d38d27bac8d46315144c2df751d704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 443387.crdownload

Filesize
12.3MB

MD5
9d51ffac7886daf04284f69422d613a1

SHA1
f521f6bfa41fd9c0027d51a4809efb2f7ae3f328

SHA256
5ea88daf5956173af9405f505db3076ab60f5c81e1df92bc165043195c865ce2

SHA512
c70db0cc62d5ff8a9f2ee59f47a8894f23ec3a1d5f4ba8e86358ea167beb711d6a8760ea95e1d84b1b5223ed9a60c935ecef59553ff706df8512a8f519b72ad7

Download Submit