hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbEd4MG5KTTQ5T3I0UDlmdE9hUFh2V1dVOVZBQXxBQ3Jtc0tsWkJuampITzIyZ1pwRHdrbklzMkgyNld4UVRtalBNMjhtTzhUQTJUc1cyd3U5RnQxcjBPMEhBZHUySFBFWVlVcTNRckEtbV85dWdrX1BLaWR1Q0xpbnl6OHh2bENnaEFaaThLaEh1N3pQVzVFTk9lYw&q=https%3A%2F%2Fsakpot[.]com%2Froblox-nezur-external-executor-v3-updated-version%2F&v=bklyYVc-DBc

Analysis

max time kernel
1040s
max time network
965s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbEd4MG5KTTQ5T3I0UDlmdE9hUFh2V1dVOVZBQXxBQ3Jtc0tsWkJuampITzIyZ1pwRHdrbklzMkgyNld4UVRtalBNMjhtTzhUQTJUc1cyd3U5RnQxcjBPMEhBZHUySFBFWVlVcTNRckEtbV85dWdrX1BLaWR1Q0xpbnl6OHh2bENnaEFaaThLaEh1N3pQVzVFTk9lYw&q=https%3A%2F%2Fsakpot.com%2Froblox-nezur-external-executor-v3-updated-version%2F&v=bklyYVc-DBc

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4276	msedge.exe
4276	msedge.exe
3936	msedge.exe
3936	msedge.exe
1552	identity_helper.exe
1552	identity_helper.exe
4352	msedge.exe
4352	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4948	3936	msedge.exe	83
PID 3936 wrote to memory of 4948	3936	msedge.exe	83
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4040	3936	msedge.exe	84
PID 3936 wrote to memory of 4276	3936	msedge.exe	85
PID 3936 wrote to memory of 4276	3936	msedge.exe	85
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86
PID 3936 wrote to memory of 3268	3936	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbEd4MG5KTTQ5T3I0UDlmdE9hUFh2V1dVOVZBQXxBQ3Jtc0tsWkJuampITzIyZ1pwRHdrbklzMkgyNld4UVRtalBNMjhtTzhUQTJUc1cyd3U5RnQxcjBPMEhBZHUySFBFWVlVcTNRckEtbV85dWdrX1BLaWR1Q0xpbnl6OHh2bENnaEFaaThLaEh1N3pQVzVFTk9lYw&q=https%3A%2F%2Fsakpot.com%2Froblox-nezur-external-executor-v3-updated-version%2F&v=bklyYVc-DBc
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91c4a46f8,0x7ff91c4a4708,0x7ff91c4a4718
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3044 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9409229649309408156,3666130894383343216,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4ec
1⤵
PID:1056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5828

C:\Users\Admin\Downloads\Nezur_External\Nezur.exe
"C:\Users\Admin\Downloads\Nezur_External\Nezur.exe"
1⤵
PID:5580

C:\Users\Admin\Downloads\Nezur_External\Nezur.exe
"C:\Users\Admin\Downloads\Nezur_External\Nezur.exe"
1⤵
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f650fafe368981a7f67b39f180ea984e

SHA1
046d3de944403a3f2f67da5fa85b0107f569e7ae

SHA256
0e6e26da9360eb1b225afc8b4cead946637cc8ec78e9d38fbc7d0d1385325752

SHA512
995e3a55e7683c7b143a2a3d3f8b9346b147cef2cd0e92c5b9756b52b9aa6ddefacf2f881ff7f034e49a407604470eec952caf51a22f8bdfdeda565e35c72804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
5fc401291d317087d518994ef7d3147f

SHA1
cef1dc8c9e24340a67e42bd4520cf9354e7e7a78

SHA256
a46bd6ea0d6f740b8e1d03683a36170c89804497a7690e433296d90a2eda8434

SHA512
55f00ff6557bb9bbdb1ce60fc8de94f4e29a78dfd7de91256634218f4f1e1ea49ce128a7928284f80ab168e2d23309c183b62ad3a9790b380bfcbe3fd093aed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
da17431638ca042d35ab889e8ce6ac35

SHA1
16df193998b2672a99734ef82fee86ed1e1e481d

SHA256
bd173157a783a287a52d9b6cb790374d2db43b021c705e796a94e31ddb8a1e3e

SHA512
a2f4d56d70ffbd6d4b9e9988238ca78903ef05ca27e86053f9e55a77da421488d3b581e7ce357b812d5aadbdba4e07bbe7f187acf847cd8f1a6497c3127501ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
576616044562fc0f777e7cd740bfad5e

SHA1
39d9d13ffd1941db4b24a76f28cb08bf6c137040

SHA256
412e678875bc6f068b7394feadc270f4122afc3cb1eb8a7e0b5c022443c1186b

SHA512
983b9c93c12aec447ca27abe9145502d8c0a5355f070852e60a97befe09b0c38742458984c1d30283e617cbde318dda5bd785c4ffc799829dcf2ccf8af1fc1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2be17b805cf7ec56df31fb953d240b5

SHA1
f0865eea771c0327c39b37e277f9bcb71e1f5e6e

SHA256
67cd106c0168339c7d0361a2382a4692894a7049e04ab36d2db0968bff2bba39

SHA512
bd5edbc859e6cb8ebf5088eaf41510f23b61ceebe24975536fc3e8ee2fd289a727baefd496d262db464b7bffc300c7b3353a8c120a837324ec1d1ac6dca8b285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bca3c8699e54eb08f38dea42fce8bedc

SHA1
d6a3e2a59f5d8c1e7f446c6930395d7cfe4e74f8

SHA256
b548077940be300ad8fc3518879eae06fba1991c2d096328a3d05631313fe0f1

SHA512
fb1395eb3a3b58197c3a85d3651b3a431ded099192ac5122dd1190b056f16517da8500a8405d381061a6e4c25496a99bdd8a49bf3d1f45cb1c931036df02006d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
66e92ed8ff6181f8e1b1b193826a67aa

SHA1
2096b910f992f8e8d24b2b8246e46a1d3c370a9f

SHA256
d26fa40e31cb88626bb944eeb36da7150490870c1602d995835112fc27fd69aa

SHA512
38cb9ab0d37210af757b55a8722d4d11a93d6b6c897c3162283617b5056c262cfad0fcb642395ee927d7771634996f96c5b0a293cd37f8d704614aeaa227e5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
128a56277020f645d4a554e72c33bc57

SHA1
9861e40363b81bed1557800dcba821791d1b4cdf

SHA256
e0f73d35cf5dbd620fe395322179084dd2a3f68448008317421a706bd26d1f07

SHA512
e510c8ccaa698b6f84eb271d2f47c6474f20a44c6346c5e9d622dfad0d58c816f60483b8ac5fb3af157841e54d1faf3edd6e43f893bc944dae6a2a78b0447278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bee023a5482e8c32305211da5720af34

SHA1
85962f3b8b4d1164cfca08a778c79916621d46e8

SHA256
08e4273b20ffbbb64a15e8049d9c5e90d377e63dffa08316c1f074e68dc0818c

SHA512
c8a7b99e71824acee6918dd37108cef5d311f766f5df9fc817f5a119082a35ddef4f3477c82cf5aa18036f85c4416dd7ad45e29ccfcc9d081025126a7ccde318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f96272d9a1cdd258b99d76f35ec84af2

SHA1
d072390027f2bb0697b3bef8b73965b18033ab56

SHA256
dacfa9273cd6debf9d8596d9c3fda4ce1a872ff3ad43106e722a3220ed0ec509

SHA512
76d6ffe23352787aa42b69c7f89dc68b3cd0db797135d75ec5052be9378f51765f725fb06efaf63902eb17f6fc84d1149f6403c683b5d925ab26ecd30fcd793b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580cfb.TMP

Filesize
1KB

MD5
bba442d8b2825b71ec00956fcb5feff9

SHA1
b3b1f6b352ab5df0cba37c1f5127e946c01f054a

SHA256
17441ad25c37ecbcd3e1bc42ea42ec6b5fcf97f08c01f212d2d29c3c473b83c2

SHA512
92ac0dfdf0af656c2c97cdacfebf67dc55b94fa05421ce671e5d12d915748e0ea244e676be4bff114be365739f2889a9ccdbf2281321341e7e62deef92a00993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d1b7b7526ad5f73da34e167cb703a6b5

SHA1
2379a3a2c5591a82ce8c0af5154db20bd0aeb828

SHA256
e72013696c12245161b601e8715298c892dc499c2c44b19c94fc245b97839087

SHA512
0fcae7e6e2b1ea6a085c7f96c804a3e6d31aa008d7934127c894744c46ff3fe6f0ce7f580c034f9169129da070aa0c94bfcd734b07e0761fc62b1fe998bbe1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2f620a950a095c5a3c9c212f0247e93d

SHA1
0f0468ea4149f9ad8f2bb4a1556f0ed4d363668a

SHA256
c594bee25948f997d256b765fd8a4892c25f4311c71c4c1f6378d9ef7a5f8d12

SHA512
c1dab4f83759a55bdf5444a594758f9d59236c6ffdf6895135af71582d8a65dc7ba016d08320fa36dec33fcf3d8348dc5086369acba2e5cae9165fc2b367a42e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
4c098b273963512aa6569621c547650e

SHA1
944f60d97a6143ca1e16c267d3434f850dbac7a9

SHA256
ecc12940f61135b036d94c2c5e56c9ef828cbe768cb9afbfe578331aed26d627

SHA512
5b1d59083ab91dd6455e7724f00c4cb2fdf57577e3ba65d3f0c2609e263e9134389da5636a1bcf64377bdd21649ca4725c73501a53cd411a051a7d9cba67fb0f

Download Submit
C:\Users\Admin\Downloads\Nezur_External.zip

Filesize
23.6MB

MD5
05e683875da769aa3ccdaeaba6455749

SHA1
008a156de4454e9af953b6546c5e407a91f0627c

SHA256
572ea82f0e79b31a18e69ac8f011a540afbc26927db3bdf61ebdc600c4de5659

SHA512
1a78573b35dfa4922949d76f5cd39dac36f5cc10226ef17bd1d8e5d8d0e8792597f62839ab1a4ece3ed8656b5fc8edb2d2e0af3d728b5caff591d71b2825c063

Download Submit