Toggle sidebar

Nut.exe - Malware?

WhoShotMrBurns01

WhoShotMrBurns01

New Member
Newbie
Level 1
Joined
Sep 10, 2024
Messages
2
Reaction score
2
Trophies
0
Age
25
XP
37
Country
Australia
Hi everyone,
I recently attempted to use nut.exe to load files onto my switch and immediately it sent my antivirus haywire. I've attached the full logs but theres mentions of keyloggers, registry entry editting as well as it seemingly attacking my 1password and my Floorp web browser. Just wondering what everyone might think of something like this?

Code: 
9/10/2024 2:36:50 PM
 [25500] 1Password-BrowserSupport.exe C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\browser_support_manifest_firefox.json {d634138d-c276-4fc8-924b-40a0ea21d284}
Command line 1Password-BrowserSupport.exe C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\browser_support_manifest_firefox.json {d634138d-c276-4fc8-924b-40a0ea21d284}
Process id 25500
Execution details Token elevation: Limited, Integrity level: Medium
Image file path C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\1Password-BrowserSupport.exe
Image file SHA1 8bb84d1b24bbcc6629f44be328a71f70aefe2fcb
Image file creation time Sep 9, 2024 8:39:06 AM
Image file last modification time Sep 9, 2024 8:39:06 AM
PE metadata 1Password-BrowserSupport.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:36:51 PM
 [25992] floorp.exe -contentproc --channel=128520 -childID 35 -isForBrowser -prefsHandle 121400 -prefMapHandle 125688 -prefsLen 35496 -prefMapSize 265716 -jsInitHandle 1488 -jsInitLen 234780 -parentBuildID 20240908033729 -win32kLockedDown -appDir "C:\Program Files\Ablaze Floorp\browser" - {ead577f5-e355-41c5-8bc8-8aa05f10ed6f} 27148  tab
Command line "floorp.exe" -contentproc --channel=128520 -childID 35 -isForBrowser -prefsHandle 121400 -prefMapHandle 125688 -prefsLen 35496 -prefMapSize 265716 -jsInitHandle 1488 -jsInitLen 234780 -parentBuildID 20240908033729 -win32kLockedDown -appDir "C:\Program Files\Ablaze Floorp\browser" - {ead577f5-e355-41c5-8bc8-8aa05f10ed6f} 27148  tab
Process id 25992
Execution details Token elevation: Limited, Integrity level: Low
Image file path C:\Program Files\Ablaze Floorp\floorp.exe
Image file SHA1 7d486d3c8ce8e887486df6efae6a82fa75ed15fd
Image file creation time Sep 9, 2024 9:57:46 AM
Image file last modification time Sep 10, 2024 9:51:53 AM
PE metadata floorp.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:36:51 PM
 [22728] floorp.exe -contentproc --channel=134488 -childID 36 -isForBrowser -prefsHandle 75912 -prefMapHandle 119472 -prefsLen 35496 -prefMapSize 265716 -jsInitHandle 1488 -jsInitLen 234780 -parentBuildID 20240908033729 -win32kLockedDown -appDir "C:\Program Files\Ablaze Floorp\browser" - {c67f14aa-b662-412f-96b7-c453a41f09a9} 27148  tab
Command line "floorp.exe" -contentproc --channel=134488 -childID 36 -isForBrowser -prefsHandle 75912 -prefMapHandle 119472 -prefsLen 35496 -prefMapSize 265716 -jsInitHandle 1488 -jsInitLen 234780 -parentBuildID 20240908033729 -win32kLockedDown -appDir "C:\Program Files\Ablaze Floorp\browser" - {c67f14aa-b662-412f-96b7-c453a41f09a9} 27148  tab
Process id 22728
Execution details Token elevation: Limited, Integrity level: Low
Image file path C:\Program Files\Ablaze Floorp\floorp.exe
Image file SHA1 7d486d3c8ce8e887486df6efae6a82fa75ed15fd
Image file creation time Sep 9, 2024 9:57:46 AM
Image file last modification time Sep 10, 2024 9:51:53 AM
PE metadata floorp.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:36:51 PM
 [26584] 1Password-BrowserSupport.exe C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\browser_support_manifest_firefox.json {d634138d-c276-4fc8-924b-40a0ea21d284}
Command line 1Password-BrowserSupport.exe C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\browser_support_manifest_firefox.json {d634138d-c276-4fc8-924b-40a0ea21d284}
Process id 26584
Execution details Token elevation: Limited, Integrity level: Medium
Image file path C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\1Password-BrowserSupport.exe
Image file SHA1 8bb84d1b24bbcc6629f44be328a71f70aefe2fcb
Image file creation time Sep 9, 2024 8:39:06 AM
Image file last modification time Sep 9, 2024 8:39:06 AM
PE metadata 1Password-BrowserSupport.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:36:53 PM
 [26036] 1Password-BrowserSupport.exe C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\browser_support_manifest_firefox.json {d634138d-c276-4fc8-924b-40a0ea21d284}
Command line 1Password-BrowserSupport.exe C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\browser_support_manifest_firefox.json {d634138d-c276-4fc8-924b-40a0ea21d284}
Process id 26036
Execution details Token elevation: Limited, Integrity level: Medium
Image file path C:\Users\AXXXnXXXXXXX\AppData\Local\1Password\app\8\1Password-BrowserSupport.exe
Image file SHA1 8bb84d1b24bbcc6629f44be328a71f70aefe2fcb
Image file creation time Sep 9, 2024 8:39:06 AM
Image file last modification time Sep 9, 2024 8:39:06 AM
PE metadata 1Password-BrowserSupport.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:28:40 PM
 [27356] nut.exe
Command line "nut.exe"
Process id 27356
Execution details Token elevation: Limited, Integrity level: Medium
Image file path C:\Users\AXXXnXXXXXXX\Downloads\nut.exe
Image file SHA1 1b1bb6125717d585984f8918127cb2a2392038e5
Image file creation time Sep 10, 2024 2:28:16 PM
Image file last modification time Sep 10, 2024 2:28:35 PM
PE metadata nut.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:28:42 PM
 [27356] nut.exe created file python37.dll
SHA1 62989fccc089f70cc3994a3352dfb222e8a07023
Path C:\Users\AXXXnXXXXXXX\AppData\Local\Temp\_MEI273562\python37.dll
Size 3 MB
Is PE True
Last modified time Sep 10, 2024 2:28:42 PM
PE metadata python37.dll
Possible theft of passwords and other sensitive web browser information New Detected Medium
9/10/2024 2:28:44 PM
 [17144] nut.exe
Command line "nut.exe"
Process id 17144
Execution details Token elevation: Limited, Integrity level: Medium
Image file path C:\Users\AXXXnXXXXXXX\Downloads\nut.exe
Image file SHA1 1b1bb6125717d585984f8918127cb2a2392038e5
Image file creation time Sep 10, 2024 2:28:16 PM
Image file last modification time Sep 10, 2024 2:28:35 PM
PE metadata nut.exe
User AzureAD\AXXXnXXXXXXX
9/10/2024 2:28:47 PM
 [17144] nut.exe loaded image sqlite3.dll
SHA1 f040b9a51f22ae79e1eb2b96dd8e0f1c378c5363
Path C:\Users\AXXXnXXXXXXX\AppData\Local\Temp\_MEI273562\sqlite3.dll
Size 1 MB
Is PE True
Creation time Sep 10, 2024 2:28:43 PM
Last modified time Sep 10, 2024 2:28:43 PM
PE metadata sqlite3.dll
Possible theft of passwords and other sensitive web browser information New Detected Medium
9/10/2024 2:32:46 PM
 [17144] nut.exe loaded image vaultcli.dll
SHA1 7cb8ffc1a4a5b6a6bcf4404f13ab2178e7cdf835
Path C:\Windows\System32\vaultcli.dll
Size 360 KB
Is PE True
Creation time May 23, 2024 10:23:16 AM
Last modified time May 23, 2024 10:23:16 AM
PE metadata vaultcli.dll
Possible theft of passwords and other sensitive web browser information New Detected Medium
9/10/2024 2:33:06 PM
 nut.exe set a hook of type WH_KEYBOARD to monitor user keystrokes
Hook type WH_KEYBOARD
Mitre techniques T1056.001: Keylogging
Loaded library explorerframe.dll
Monitored keystrokes New Detected Low
 

Attachments

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew  Full List of N64 Recompilation Switch ports

Feedback Homebrew  Essential Homebrew

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

running 20.5 Is it worth upgrading my firmware...?

Is it fixable