Analysis
-
max time kernel
79s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/11/2024, 18:43
General
-
Target
Nezur_Executor (4).zip
-
Size
18.6MB
-
MD5
b464744ab9c9ebd75169f1c8639e432a
-
SHA1
ce83cff14a367c1fc88fdf1b9aa3df2e64549d85
-
SHA256
08975e2665243e02ad55dd53892d907554b297bc19ba2e4d11334eb67b45f3a6
-
SHA512
37f4cd8560b480126ca38135cdac10d28e56f36ba42583b8cfbdaf6555bc656a2448c67fc715b2337e1db07d4d87ec9336e7f7ab5418bf2bb4f9a0206817beaf
-
SSDEEP
393216:f7gYled7NfP4aahSJKqI9jE8tdBMm50uoYwQGKgyjy6KUvQPnPTpXYi:5elhAaaAUqIFuuozP1yjtvQvdR
Malware Config
Signatures
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: detect-gpu@latest
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: lottie-player@latest
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 46 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nezur_Executor (4).zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Nezur_Executor (4)\" -spe -an -ai#7zMap32093:94:7zEvent304351⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Nezur_Executor (4)\Nezur_Interface.exe"C:\Users\Admin\Desktop\Nezur_Executor (4)\Nezur_Interface.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://execkey.nezur.io/2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff9f5146f8,0x7fff9f514708,0x7fff9f5147183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7472 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7472 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7700 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6960 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6716 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8172 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,10011571555889505921,12550811818364170907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:13⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/nezur2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff9f5146f8,0x7fff9f514708,0x7fff9f5147183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,17934598328326960515,14653851143421216136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,17934598328326960515,14653851143421216136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1cheats.com/store/category/69-nezur-executor/2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff9f5146f8,0x7fff9f514708,0x7fff9f5147183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18052751239757492299,7262980404033570097,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,18052751239757492299,7262980404033570097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://execkey.nezur.io/2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff9f5146f8,0x7fff9f514708,0x7fff9f5147183⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
7KB
MD5fe88f31f0c478c82489eb12a71e57ede
SHA13e8ae336b027d113e3241e115016ce2fc9dcd641
SHA256eb4c6f4ef1a302e5e67988574f863ba25c62a13af014027db1381150524be46c
SHA512eac1a56f1ec9eaf828003b6ab90660c84729dd1bf3bdc03e22ec4692895d61edc96577f284b963a9b5379298f7b7911504bc59327a8040d17759d76ecbb4f901
-
Filesize
6KB
MD54bbec15d92c9329c7e7f049afd245b76
SHA1b0d768d32404e4f146d5d72989e7c2afc3c71e59
SHA25665fb41bde3f91753286e9aaaa28dc64537dc4517922eedb95cb2ec7146407421
SHA5122eeada75d6d82fef75ed4968715a8285ba5542b4f449e2285a19bbd831ab25516e5bb6e1197a51c9e221830729df5bbbbbcea9212a56e581072daa77a0756d48
-
Filesize
8KB
MD54036eafd18dbabfcd7009ccfae6bb8c3
SHA15de53d9e2f10b71bed9867a240f95622c7c7df43
SHA2561f3a74527809ea5fb07a295a435c919a3d5b2c59614cf1f1a65576ce09a58f6f
SHA512f11f3871a8432e755621886e383f4e1b976b6e69ed5d64a0a5d409e2338ef7afd0878db002892819dca3669013ebb46184cce61998b3d21a1aa56cb35f382c38
-
Filesize
7KB
MD5b01854fa7e4c9f6755d8909e4107fca8
SHA1496793e38daac759ef6142c38ca79aeb290e47f1
SHA25636ab2e818be3ecad5489ab695fe1b11d5927592513e69ad8fe3ebb1f3758b4fd
SHA5123a3388c4484d77c174b8b180159d3c5d4e0ca6d32d67e5f25f5e694ed2399b20900983ce062538dc86e6566dfa5ea4518c238722e1d7ed6d24a4577845cc94d3
-
Filesize
72B
MD517e53502ac538644f70397201623873e
SHA128d1d08be4b32617baaef026ec0d48295283ec43
SHA25697ca7b728ad5ec9c1e1df17f18dd16fa9f236f2a9a12d3a5227df68c4286085a
SHA512eef7d17e4ff77b7776e03c333f9611a07a1ef4ebd21805060b1d051c90e30259204b61388315d101a27ebe0831c8eb9e539cc14caab11a8c557560c10a30d07c
-
Filesize
48B
MD5d9f8c1a2f970f85a89eb169a48273633
SHA117d8e051db6385b5d4a7e52777fc31566fdc6840
SHA256c37bad9b1197c85ae46580ff1f96070e8a8f80de6231d7804ba726e13269c16e
SHA512b97660e48b31c82cbe134f20e921e1451d14bc58cbb9ba3960146e25ffac7a137de71596c80de1141f65e4a34f4e9e9cf38eea550a9f7bbc5eaab485478ef291
-
Filesize
116B
MD55fc8c29a8e0e4c1df6432078007bd812
SHA1211b4e9c6a4f8b17ef960652c9db6665b71b8612
SHA2563fee08ee72c3e03bd4cde20f85b59d37e66bf777e98c9943a3898a06d7b01e1d
SHA5126a62c4a6ed3bef262ceed775e1b10a0155f4af7d6b281f0904ea68c8e2f9c51d88b833ff269db0d77220fa473388d891e50de4ebe12c1319cdd98217754a9fad
-
Filesize
110B
MD5749ae209f803b99c3b381c815265b164
SHA1d772874b5ce1ed6f03c78e48362bd2a69ad51cbb
SHA2565a133644f1d96874012ec1b756021be1444c81d58c5d7259d257482202964ffe
SHA512449eb521597d88df9c4bd5d571b283423aaf879120d8d1568206612fc649d74896d419a1a74d106d2ccd41b5b896ee6dca5d5ada11abbbb36711294aaa631b30
-
Filesize
72B
MD50febb41f104c4c503b18fa3295532d49
SHA11cc687d3fa404fbc4ac8bafd4d5d69ba756890a1
SHA256593410dbc8038896c5958bbc9664f0ea32d23b767543b3fd3451053d35445e98
SHA51265f92f4f4c7272a000f08369dea60acac09c43b3e93bd4732d30d925129a942cee2188ea1ab60d05b55761d3261b1580613ae7da94c6c7d528b5962defd914b7
-
Filesize
48B
MD5814642c6da30920fe35fded502c70ff0
SHA162d54d84bf0c449afd2f3a421ef0a432475d5e9f
SHA256cfa1a21e947506a8092e4dc1d5471eb2da661635ae21a6529eec58068b064e84
SHA512e6074ef1e8f14c25bc2c67e76f5181ae4ded273f9d06c9784a0fe421f63fb4270c11453b4c080826de616916edb0b1f9bc2effc41bdebb1a1848ed351b89ff35
-
Filesize
1KB
MD54a4f0597d389c6ced6ba88a23888aeed
SHA1d98935ff03e57b03fc7a558ad0fe3432459ce812
SHA256b47c89ed8b5fc874a94cbb6bc7c460d884528ba54af14ff050c6cad030deb5f1
SHA512a7b469c34ac6f145eb373afe6897864a7f22023f27338983645041caba03a8d33f1b18f9905b1ca441f15ec4f74f3170b8c215ca63dde6d9eaa150ce36bb34e5
-
Filesize
1KB
MD5239a089a3ffaccfde04e056d3d7c8f5f
SHA14cc0601c2a0e0ddf19be140d84ce2b9257e45594
SHA256e7841c6a38207696e0abbe5fd972ac00761f68ed7c6ace4cf9a76e5eec982873
SHA5123ae22b4972a229f9dbac026c638ba67bfa93ea052d35069d97cd5e2376beda01651511c5279f36a8fd4c118294abc366e206921d0f78879134a12438207fd61e
-
Filesize
872B
MD5837607d7ba7eba69415d2188eead5afa
SHA13ef47868af664e2577fe76bfcba500b27209a8dc
SHA256344a2d8c670a90f3124d44a111f89024633243399ba925fd6be6670ced8b4b4c
SHA512db29e63d5c30707666e1104f22dc3f53a102526655034077a0defceb7ab8972604c4510f1b195cc8801b02eb8472d796d52918908f078746e0bc3957b15f27b2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5dae05dcafcc7b9751fc63f7e185af917
SHA16667069fb6529325ffd87b01a96a9c3e531db6ba
SHA256aebb5e7a046c5cc5def672d218365c318c7c5697d2ef8fc3504a84a845e10514
SHA512b1bd7b66eaf5ff04d44d36872fa86b89fa62ab72ba78f1aca985ecf770a7c91391573909c47acadc04b29373b4a87e028d57807ae32a05754702ab3feaff5758
-
Filesize
8KB
MD5efcb8f1c4b23c4de4f1ddda5810cc026
SHA1b65cb76aa67bc347c5fa3dcbcc43d8f58fa4b982
SHA256f69469905af5410c2b418be1029d591dafbe4d885903e18fe9b186cd3d740149
SHA512cc37b187081d1fa578dfe1a48d0dd991c7f6d7ca1f65ec3534dbce5a4f07d609b2f7027bb6e30b30a3e8a05b90fd8d5c516ea010cfc538c930aa00ae702d32cb
-
Filesize
10KB
MD5d43f47efb6b0187b76d3e5fcfa0c4b3a
SHA11321c1d0704b2b1bba5666839dc086950f89ce07
SHA2562ff73dc0ab01920a2319fbbe8c2a61ff1a0e3af72bb1bea2b561631c17e66411
SHA5129cee8672a08c21fe93d30190ca524d9970fbd7a255a52ac40f5bc0ba010fb472b41f9ab392fe106a9b80138b33e3c7678f5b6337c351809e421f7c42d2c25472
-
Filesize
3KB
MD534c45d78bdd90b1b2bd1d05d715c2849
SHA1d84c1a72c1308ded0885659cc99a4d62a868d3af
SHA256ee0cf1308dd91eba2003d31e886b88258f9f9943f9a778ae81b358dd9fded546
SHA512f6bd271a8e7d240cdb6b4d1e118e81257b0a656285db66ea2c065c86a0c2615559dc753c1bf21e8423f2664d7d960aef4d19771456187e4688c922d654b67a5b
-
Filesize
6.4MB
MD55e975740e102716f97f71abeaf5dcf62
SHA1d57a5e40cb351eb739cffd24a6855ab21654063f
SHA256f07c2a215d43e783f096810a3a89cdd8c3cd99b56c774e7cdb5ab399cc73bd36
SHA512dd1ed65c09c6ae815b174b1eea0817f155bbf7541fc48aa0e63c51358a8b3948474e956adf1c6ec3713c49b524402603193a7bd8cb03710175e65b0b3b226d6e
-
Filesize
154KB
MD57e7adfc3bdd9b766fb15521dc6b00f25
SHA1ad6abf2d4dc87ae133be0aa8f2e77dc098ae8f8a
SHA2563e08f027849d86c17909b507b25df78521afe175bcf30424f70ccabbfdf7665f
SHA51229b33965f5a0b095b3fe8c16c88015584c62067fe3d78da4e4ec131d42918450dbec71e63bf7ba8917c531a4adccf8c0badf8c043523d959d964186789c01fab
-
Filesize
458B
MD507b9a30265ca4e69c7016a1b6e3ffc27
SHA13a4af82a2695b1423aedd8b60a5c86793c011b02
SHA256c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782
SHA512efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c