6dba900ba4e73e88cf3d3a062f71735f30e615436d01aa96d18545e97d31a5a4

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nezur_Executor.zip
Size

22.5MB
MD5

4d37f25041bdde67a14e56c81df22d2d
SHA1

889cdd97c8e162e7b252f9a697c6458076b49483
SHA256

6dba900ba4e73e88cf3d3a062f71735f30e615436d01aa96d18545e97d31a5a4
SHA512

e8b8d2954158f0f263a46dfb018fd1cf13d9f6c3ef9de2add1dd2cd23be8b42dd50fff15fd89230c81df7a73ad8e16aeca8014db302f22505b3187b866d0ce05
SSDEEP

393216:CUvQPnPTpXYGgYlaUucsYWCa+uiGgphlV+ybX9ltoIY1VzH7X9wmRJ4rSm9Hhy/m:HvQvdXnO1sFXPKPqja/fltD3IFj

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 4 IoCs

pid	Process
3856	Nezur_Interface.exe
1052	Nezur_Interface.exe
2584	Nezur_Interface.exe
3892	Nezur_Interface.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133792795130593324"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
1324	chrome.exe
1324	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3340	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3340	7zFM.exe
Token: 35	3340	7zFM.exe
Token: SeSecurityPrivilege	3340	7zFM.exe
Token: SeSecurityPrivilege	3340	7zFM.exe
Token: SeSecurityPrivilege	3340	7zFM.exe
Token: SeSecurityPrivilege	3340	7zFM.exe
Token: SeSecurityPrivilege	3340	7zFM.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe
Token: SeCreatePagefilePrivilege	1324	chrome.exe
Token: SeShutdownPrivilege	1324	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
3340	7zFM.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe
1324	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3856	3340	7zFM.exe	77
PID 3340 wrote to memory of 3856	3340	7zFM.exe	77
PID 3340 wrote to memory of 3892	3340	7zFM.exe	83
PID 3340 wrote to memory of 3892	3340	7zFM.exe	83
PID 1324 wrote to memory of 4716	1324	chrome.exe	85
PID 1324 wrote to memory of 4716	1324	chrome.exe	85
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 2944	1324	chrome.exe	86
PID 1324 wrote to memory of 3908	1324	chrome.exe	87
PID 1324 wrote to memory of 3908	1324	chrome.exe	87
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88
PID 1324 wrote to memory of 3788	1324	chrome.exe	88

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nezur_Executor.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\7zOC0D22428\Nezur_Interface.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC0D22428\Nezur_Interface.exe"
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\7zOC0DFD1B8\Nezur_Interface.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC0DFD1B8\Nezur_Interface.exe"
  2⤵
  - Executes dropped EXE
  PID:3892

C:\Users\Admin\Desktop\Nezur_Interface.exe
"C:\Users\Admin\Desktop\Nezur_Interface.exe"
1⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\Desktop\Nezur_Interface.exe
"C:\Users\Admin\Desktop\Nezur_Interface.exe"
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e32fcc40,0x7ff9e32fcc4c,0x7ff9e32fcc58
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1692 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5272,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3148,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4624,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5224,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5404,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3424,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3396,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3280,i,13953187618436097025,3725997211945437087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  PID:764

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000047C 0x000000000000048C
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4afc44075154b53c4c6929b153890519

SHA1
324b23d39d9e547bd1a7b029ef65b4221c93b44f

SHA256
6b9a6003a1b2cbcb86e56ab065ccbd9141c64bf4e13121f0bf2a5c9dc8962b44

SHA512
660b1d868b5e9708458973c6cdf4efe951a0c12edffb6dffa3e60ef675e0a4baba9ae5aa5728c2848637f5f77226508fea9d7bdb10a704ebe83a4c445cd1d866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
853653cb03fcaea348c7d554ac46eb82

SHA1
7c2ac600ab0969cc850b1227fb9b176a060a5de2

SHA256
ff1dc5737a91d30eae0c9c62cf06af75def9e2a6608b8cc7b573d549465aa4e1

SHA512
13019a3b46d7242c4bd8b9825edf27802925e300c49aab6c53fcaa50ca74cfff1aa8868c8c3277449d27080971b50b8b43dd3a39d4e2541f30631f7afd7aa97f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
55b38a21f4ea400b3ec8a6dd3c6c2500

SHA1
7a6add2173c7804f79c417d2e208d6e59d733bf3

SHA256
318b9f1b18bcc03ea5624cfb1127d2d399fba331b448dc6e42823d0a81a99a05

SHA512
cb9b115ad88a0323149ff4a699ee024c812b502319b9d426b206a8379483664b62351b3358e30bc2c58bc703337123225188f389585208390c2261813be6abec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ce0bb16f-b361-4c70-9fd7-cec64f0c6915.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed8a145f0bad0ec6cf70ef4c7ddac475

SHA1
6955af8879a5aca0459f3a13e9435a48549b3722

SHA256
a294b17d2ea551f0760fe52c11ab713f9bcdd51fc8195ba7f9644edd0ecbca6e

SHA512
64702a4c6fce240894a433ee1344b1152106d167b197d8e1aff10c67ede9bd69352faca4e127fa779e0bcab5f3c454502fce17a60e415d6af50cacb4c5749fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9bea98a38aebea3eec9f2c5e4bf4ba7

SHA1
11749e59a615a9c5822ee9e95642bceb65abd243

SHA256
563bd4898c2a2416c8bd232b4e14758e12d5f1558e48e25c66878df65f1d118c

SHA512
72ceecc77a0a15b839eb9f29d8141a16e5b02b8be29180e8b0ac28c906959810dd3930728886ea4e6bf3c09b86572eb5ce97442e08c6a2cfea2ca5452f216fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9fdd984921c407933b203e77351f54c

SHA1
a28775e19882d5b62212d3d7e3e6e2b8eaf2e58b

SHA256
fe9339486cbc129c65f9f1fef40160963d2c86d55344d7ed5dde6d0c956169ca

SHA512
48ae4800af1e5e4178f0f6a0c1537a9b2406e9535d500836085118c125bb5ddf337b33db37ca90259afde4d1b1a53983196ea0711779df35a0df6c675fb49f47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
476fba54e45ab650a22b06fcd48ca676

SHA1
1643c4bbdd51c6dbd1c03ab9990435cd0e98570c

SHA256
1465854e92081b035c2bea275e0d5ef2ecabbd250d05d202c7a1be51613c9e16

SHA512
3afa3e7ca081a6b0ea5eb9205fc3672582dc0256e6ddddac637eed473ba6a7b5d6e9b579e533223c7214d1971b7122cad48650814f33e44669bbfbe11e746b8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
69f42e1597eba37bd8d227dfe214aa9c

SHA1
2a51683cec410bcbb0f71b8fc663ba73de4195b4

SHA256
1c3ef57871f344f0ec44a1c7fac3511b081441154e9bb29a24e06e72f004249f

SHA512
8e1b3d1dafa2cecb0fc99d163aa5dd1a68f751dbaba45dfb6c99a90fee567b977d37f8d02bbe7ac5e1e897ba783976b3e98b4d131db3af98fd70f51c70bf5629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
b80154e54d2c9ed52fc06e50c66f855a

SHA1
b3e72837abfb8c14e0766074b1a9a32335ee09eb

SHA256
bdcecff4b088af7dd1e619d9579add14b3c23838f07e6c39a4a3537b57659f4a

SHA512
361a0787e983cf310d6049349ab201188f6d78d1a0897214fecbd409f4b6af815bded33e82bd769c21d174da811a00d2ffd4a712de36df96f548418966dadf8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
23631e7313e231b572270051da1288ed

SHA1
1e310da1230de45c96d0f7400f2596d3d9267d4a

SHA256
2f3cb64a139203b2dca90e8b9cacb86fbfdcd4b8c682c7aebf1e86d382299827

SHA512
a4f0c6efa0ac461324880b0ba899c650647439c204b6cd6c8dd66e92d85dc8147110cf8cf3a47cfc595e1af3b7c89e70d3f14f0249b4a055fc367b0bc1db5319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
d845c24595200bd51e9444d674d190f3

SHA1
7a8f6d3af5c8fa7ad0d953863d5087827da6d8da

SHA256
0f13de8a83fae5f12644552784987d797277ff28458277f5fee20f64ca9cc26f

SHA512
8f0d269caf8915c6c2dbc4d9897ecbed60b5addba5cf8b1f3999bfe80195738f311302036d1d2ad4ec611c607b416d4ea994ea62cdd03c2f54b5e4eecd4aa1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0D22428\Nezur_Interface.exe

Filesize
154KB

MD5
7e7adfc3bdd9b766fb15521dc6b00f25

SHA1
ad6abf2d4dc87ae133be0aa8f2e77dc098ae8f8a

SHA256
3e08f027849d86c17909b507b25df78521afe175bcf30424f70ccabbfdf7665f

SHA512
29b33965f5a0b095b3fe8c16c88015584c62067fe3d78da4e4ec131d42918450dbec71e63bf7ba8917c531a4adccf8c0badf8c043523d959d964186789c01fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
7eb30442d29ede7959f3732d8717c8e0

SHA1
973f53b4dd7276216cbf8298d7c2532a0e0bd26d

SHA256
f69988fdb33e2cbbadb5caae8b03ca17eee627a25da6720955ed269876c92f25

SHA512
0be7e1b93b4a75ff23bd567a1debfae39797841721f74f68a8ca319585f76304df42fda051f79d5423fa8a778a3c7658ea19d5a45b165a548506fd7f04ad6208

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1324_2103381925\5c077b80-7f03-48d5-a685-f5836eb160af.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1324_2103381925\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit