File name:

nexus-2.2.0.exe

Full analysis: https://app.any.run/tasks/36a8d546-660c-4e60-95d1-5c7feccd200b
Verdict: Malicious activity
Analysis date: July 06, 2025, 05:23:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

35E07D829C031A5661C5BC4891923D4A

SHA1:

4F89EA6BAB94D800001678EFE256B526493CE484

SHA256:

56CEBC8F3F87209C25BBFB83E6CD2DE459533BD70DEC4BB9929F2FB30EE1AA73

SSDEEP:

98304:8CYzBJQd45RLHrCzou8M+SHmOVWjtKxgADpNrCCsM19VOoFqetqyS8aBEJ7YeAeV:MC0ZYCY1/uP3pIwXg2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • nexus-2.2.0.exe (PID: 7048)

    • The process drops C-runtime libraries

      • nexus-2.2.0.exe (PID: 7048)

    • Process drops legitimate windows executable

      • nexus-2.2.0.exe (PID: 7048)

    • Process drops python dynamic module

      • nexus-2.2.0.exe (PID: 7048)

    • Application launched itself

      • nexus-2.2.0.exe (PID: 7048)
      • updater.exe (PID: 4764)

    • Loads Python modules

      • nexus-2.2.0.exe (PID: 5340)

    • The process executes via Task Scheduler

      • updater.exe (PID: 4764)

  • INFO

    • Reads the computer name

      • nexus-2.2.0.exe (PID: 7048)
      • nexus-2.2.0.exe (PID: 5340)
      • updater.exe (PID: 4764)

    • Checks supported languages

      • nexus-2.2.0.exe (PID: 7048)
      • nexus-2.2.0.exe (PID: 5340)
      • updater.exe (PID: 4764)
      • updater.exe (PID: 4760)

    • Create files in a temporary directory

      • nexus-2.2.0.exe (PID: 7048)

    • The sample compiled with english language support

      • nexus-2.2.0.exe (PID: 7048)

    • Reads the machine GUID from the registry

      • nexus-2.2.0.exe (PID: 5340)

    • Checks proxy server information

      • nexus-2.2.0.exe (PID: 5340)
      • slui.exe (PID: 4012)

    • Reads the software policy settings

      • slui.exe (PID: 4012)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:29 20:12:31+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nexus-2.2.0.exe nexus-2.2.0.exe slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4012C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4760"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x254,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4764"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5340"C:\Users\admin\Desktop\nexus-2.2.0.exe" C:\Users\admin\Desktop\nexus-2.2.0.exe
nexus-2.2.0.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\nexus-2.2.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7048"C:\Users\admin\Desktop\nexus-2.2.0.exe" C:\Users\admin\Desktop\nexus-2.2.0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\nexus-2.2.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 827
Read events
3 827
Write events
0
Delete events
0

Modification events

No data
Executable files
28
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\MSVCP140.dllexecutable
MD5:7ACBC57D268A691247B4A94FECFA42B4
SHA256:B99EB28A471311113F5C4109CB3C463F39CFD9BDB3B07F706204DEDDDB4516A1
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_ctypes.pydexecutable
MD5:1635A0C5A72DF5AE64072CBB0065AEBE
SHA256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\VCRUNTIME140_1.dllexecutable
MD5:135359D350F72AD4BF716B764D39E749
SHA256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_queue.pydexecutable
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_bz2.pydexecutable
MD5:86D1B2A9070CD7D52124126A357FF067
SHA256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
7048nexus-2.2.0.exeC:\Users\admin\AppData\Local\Temp\_MEI70482\_multiprocessing.pydexecutable
MD5:A9A0588711147E01EED59BE23C7944A9
SHA256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
53
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.23:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4844
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4844
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 95.101.149.131
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
login.live.com
  • 20.190.159.131
  • 20.190.159.130
  • 40.126.31.0
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.68
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
nexus-2.2.0.exe