File name:

reFX Nexus v4.5.4 CE.exe

Full analysis: https://app.any.run/tasks/212dee84-95c4-4b85-b394-7f29c5c61b0c
Verdict: Malicious activity
Analysis date: June 25, 2024, 23:45:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

916BB1E135A5303EC950D1D863CDA8A1

SHA1:

6A018E6CA8E64037959DBAB39AAD8CDF2FB0F964

SHA256:

4F405B6012422E227ABA366494A8BF12BC6460B4246B2176EA0E850F188220C8

SSDEEP:

98304:3+QqZ8fnVph4S0Wvr/20gR3nE1tWyuuHJdkw2fe/HCmQJFuK5YAfevTkAP140T7c:93v9FfbuiRcEvQ1qPFk1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • reFX Nexus v4.5.4 CE.exe (PID: 2108)
      • reFX Nexus v4.5.4 CE.exe (PID: 3380)
      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • reFX Nexus v4.5.4 CE.exe (PID: 2108)
      • reFX Nexus v4.5.4 CE.exe (PID: 3380)
      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

    • Reads the Windows owner or organization settings

      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

  • INFO

    • Checks supported languages

      • reFX Nexus v4.5.4 CE.exe (PID: 3380)
      • reFX Nexus v4.5.4 CE.tmp (PID: 3400)
      • reFX Nexus v4.5.4 CE.exe (PID: 2108)
      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

    • Create files in a temporary directory

      • reFX Nexus v4.5.4 CE.exe (PID: 3380)
      • reFX Nexus v4.5.4 CE.exe (PID: 2108)

    • Reads the computer name

      • reFX Nexus v4.5.4 CE.tmp (PID: 3400)
      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

    • Creates files in the program directory

      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

    • Creates files or folders in the user directory

      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)

    • Creates a software uninstall entry

      • reFX Nexus v4.5.4 CE.tmp (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:05 15:54:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 48640
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 4.5.4.0
ProductVersionNumber: 4.5.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: reFX
FileDescription: Nexus
FileVersion: reFX Nexus
LegalCopyright: © 2006-2022 reFX
OriginalFileName:
ProductName: Nexus
ProductVersion: 4.5.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start refx nexus v4.5.4 ce.exe refx nexus v4.5.4 ce.tmp no specs refx nexus v4.5.4 ce.exe refx nexus v4.5.4 ce.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Users\admin\AppData\Local\Temp\reFX Nexus v4.5.4 CE.exe" /SPAWNWND=$90164 /NOTIFYWND=$6015A C:\Users\admin\AppData\Local\Temp\reFX Nexus v4.5.4 CE.exe
reFX Nexus v4.5.4 CE.tmp
User:
admin
Company:
reFX
Integrity Level:
HIGH
Description:
Nexus
Version:
reFX Nexus
Modules
Images
c:\users\admin\appdata\local\temp\refx nexus v4.5.4 ce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2300"C:\Users\admin\AppData\Local\Temp\is-4JFNK.tmp\reFX Nexus v4.5.4 CE.tmp" /SL5="$6010A,14571176,791040,C:\Users\admin\AppData\Local\Temp\reFX Nexus v4.5.4 CE.exe" /SPAWNWND=$90164 /NOTIFYWND=$6015A C:\Users\admin\AppData\Local\Temp\is-4JFNK.tmp\reFX Nexus v4.5.4 CE.tmp
reFX Nexus v4.5.4 CE.exe
User:
admin
Company:
reFX
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-4jfnk.tmp\refx nexus v4.5.4 ce.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3380"C:\Users\admin\AppData\Local\Temp\reFX Nexus v4.5.4 CE.exe" C:\Users\admin\AppData\Local\Temp\reFX Nexus v4.5.4 CE.exe
explorer.exe
User:
admin
Company:
reFX
Integrity Level:
MEDIUM
Description:
Nexus
Version:
reFX Nexus
Modules
Images
c:\users\admin\appdata\local\temp\refx nexus v4.5.4 ce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3400"C:\Users\admin\AppData\Local\Temp\is-DDIVC.tmp\reFX Nexus v4.5.4 CE.tmp" /SL5="$6015A,14571176,791040,C:\Users\admin\AppData\Local\Temp\reFX Nexus v4.5.4 CE.exe" C:\Users\admin\AppData\Local\Temp\is-DDIVC.tmp\reFX Nexus v4.5.4 CE.tmpreFX Nexus v4.5.4 CE.exe
User:
admin
Company:
reFX
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ddivc.tmp\refx nexus v4.5.4 ce.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 059
Read events
3 027
Write events
32
Delete events
0

Modification events

(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
FC080000607624C159C7DA01
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
0B3899787BCF4A2776FC47FE7DF63020F069BFC1D1997C6A0E5EDA029ED4CBB7
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
A4210D61F9FCB9CCD97C7FD2129EC502217B6D0E2C9037E06BCC033714444D85
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Native Instruments\reFX-NEXUS
Operation:writeName:InstallVST64Dir
Value:
C:\Program Files\Steinberg\VSTPlugins
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Native Instruments\reFX-NEXUS
Operation:writeName:InstallVSTDir
Value:
C:\Program Files\Steinberg\VSTPlugins
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Native Instruments\reFX-NEXUS
Operation:writeName:ContentDir
Value:
C:\Users\Public\Documents\reFX\NEXUS library\NKS
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Native Instruments\reFX-NEXUS
Operation:writeName:ContentVersion
Value:
4.0.0
(PID) Process:(2300) reFX Nexus v4.5.4 CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nexus_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.0
Executable files
11
Suspicious files
11
Text files
385
Unknown types
0

Dropped files

PID
Process
Filename
Type
2300reFX Nexus v4.5.4 CE.tmpC:\Users\Public\Documents\reFX\NEXUS\is-II5VR.tmpexecutable
MD5:64290EAC29FFC6D3E6DFDF7460BD77C6
SHA256:30D8B95C370E83BBB0238DD550C588EDB82A7E7FE69C42053F04E24798819696
2300reFX Nexus v4.5.4 CE.tmpC:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\desktop.initext
MD5:071777FF04749018AC08734C3B0FD805
SHA256:8BBFBCF955BFB458AD1B94FFED4F6A783A01C2C32F89CFA082547DA8F04DA761
2300reFX Nexus v4.5.4 CE.tmpC:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\is-MNPSR.tmpini
MD5:071777FF04749018AC08734C3B0FD805
SHA256:8BBFBCF955BFB458AD1B94FFED4F6A783A01C2C32F89CFA082547DA8F04DA761
2300reFX Nexus v4.5.4 CE.tmpC:\Program Files\Common Files\VST3\is-6PDES.tmpexecutable
MD5:94317F77B06EE3F70CEA21F5D091A942
SHA256:623C60239244EFFF5AD84AE879A62E0A7035EEDFBA0039604EE1877BA7B68C98
2108reFX Nexus v4.5.4 CE.exeC:\Users\admin\AppData\Local\Temp\is-4JFNK.tmp\reFX Nexus v4.5.4 CE.tmpexecutable
MD5:DFAD9A5455AB06D766D297CB9B0AEC5A
SHA256:E054198D6D446C069DF80AF7628FB0CFE5ED8CC3FCA233C5921EA4B4199C5805
2300reFX Nexus v4.5.4 CE.tmpC:\Users\Public\Documents\reFX\NEXUS\3291ca99f75dadcbd4687456955d698d\license_n4.binbinary
MD5:CD767D08D4D4A89D57C132911C95D7A6
SHA256:E44AAF10EEAE6A084683BED84A75AD11C84FDD615EF3C2D434B76256E1BE3B32
2300reFX Nexus v4.5.4 CE.tmpC:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\Contents\x64\Nexus.aaxpluginexecutable
MD5:3ACCAFFB1291DC2D8121CEFA3747062A
SHA256:719FC1F4A9DA7EA16888E5EB89A3844D80243F94F5C4BB3EB2F78EB622A422D5
2300reFX Nexus v4.5.4 CE.tmpC:\Program Files\Common Files\VST3\Nexus.vst3executable
MD5:94317F77B06EE3F70CEA21F5D091A942
SHA256:623C60239244EFFF5AD84AE879A62E0A7035EEDFBA0039604EE1877BA7B68C98
2300reFX Nexus v4.5.4 CE.tmpC:\Users\Public\Documents\reFX\NEXUS\config_n4.jsonbinary
MD5:EE3DEBBEE67A5D5EE16ECB33EC6BE419
SHA256:93CBDDF6A749F9B5E7E1F566932DADF3FDEC6D0AEC65224476C07814E8EECB98
2300reFX Nexus v4.5.4 CE.tmpC:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exeexecutable
MD5:9B636915E620B369DFB9F5995A010EB3
SHA256:78E7192751E4EDF5EB48DF9B1C7C6724C17213E7A209E28375B24DF339179F67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
2.16.10.176:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:3702
unknown
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1372
svchost.exe
2.16.10.176:80
ctldl.windowsupdate.com
Akamai International B.V.
AT
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 2.16.10.176
  • 2.16.10.179
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
reFX Nexus v4.5.4 CE.exe