download:

/ReaImastercoder69/Nitro-Generator-By-zizrx-/releases/download/Release/NitroCodes.zip

Full analysis: https://app.any.run/tasks/104cdbf0-d2a9-4934-bd86-0115515fed6f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 06, 2024, 21:58:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
discord
exfiltration
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

6B15A4121A9BAC902E6B2A4940F19BC4

SHA1:

554512CDCC56E026B247472B737A68B09EE300E7

SHA256:

8ECEC6606C110AB65B2F25F06FDA8217F94C23F9720A5B3092689288E6881B25

SSDEEP:

6144:2VN3CTX0YkGD6DZqaYClVopfMQJaQxXqZCbVI+LsQ2gFmhHDE7/b:2i5atqa6ukaQx9K4s9D2j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6856)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7080)
      • powershell.exe (PID: 6856)
      • powershell.exe (PID: 6296)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6856)
      • powershell.exe (PID: 6296)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6172)
      • cmd.exe (PID: 6788)

    • Creates a writable file in the system directory

      • powershell.exe (PID: 6296)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 6296)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6856)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6856)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6856)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • powershell.exe (PID: 6296)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 6296)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 6296)

  • SUSPICIOUS

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 6788)
      • cmd.exe (PID: 6172)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5332)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6856)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6856)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 5332)
      • powershell.exe (PID: 7080)
      • powershell.exe (PID: 6296)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 6856)
      • powershell.exe (PID: 6296)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 5332)
      • powershell.exe (PID: 7080)
      • powershell.exe (PID: 6296)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6788)
      • cmd.exe (PID: 6172)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6788)
      • wusa.exe (PID: 7040)
      • cmd.exe (PID: 6172)
      • powershell.exe (PID: 6296)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 6296)

    • Application launched itself

      • powershell.exe (PID: 6296)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 6296)

    • Script disables Windows Defender's IPS

      • powershell.exe (PID: 6296)

    • Script disables Windows Defender's real-time protection

      • powershell.exe (PID: 6296)

    • Uses WMIC.EXE to obtain Windows Installer data

      • powershell.exe (PID: 6296)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5764)

    • Checks for external IP

      • powershell.exe (PID: 6296)

    • Uses WMIC.EXE to obtain a list of video controllers

      • powershell.exe (PID: 6296)

    • Uses WMIC.EXE to obtain operating system information

      • powershell.exe (PID: 6296)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6496)

    • Uses WMIC.EXE to obtain computer system information

      • powershell.exe (PID: 6296)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7072)

    • The process connected to a server suspected of theft

      • powershell.exe (PID: 6296)

  • INFO

    • Checks supported languages

      • wusa.exe (PID: 7040)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6856)

    • Checks proxy server information

      • powershell.exe (PID: 6296)

    • Disables trace logs

      • powershell.exe (PID: 6296)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6856)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6492)
      • powershell.exe (PID: 6152)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 7072)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2088)
      • WMIC.exe (PID: 7072)
      • WMIC.exe (PID: 6496)
      • WMIC.exe (PID: 5764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:25 12:29:14
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: NitroCodes/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
38
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe wusa.exe no specs wusa.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2088"wmic.exe" computersystem get totalphysicalmemoryC:\Windows\System32\wbem\WMIC.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4400ping localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
5300C:\WINDOWS\system32\cmd.exe /c ""C:\Windows\System32\Win64.bat" "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5332"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\NitroCodes.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5764"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
51 498
Read events
51 442
Write events
56
Delete events
0

Modification events

(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NitroCodes.zip
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5332) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\WINDOWS\System32\acppage.dll,-6002
Value:
Windows Batch File
(PID) Process:(5332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
5
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
6856powershell.exeC:\Windows \System32\wusa.exeexecutable
MD5:801B460F20F2978F29616947C8571925
SHA256:40DC0E7A94D204F263A48EBF316AB144A584D9EDA0CDD05D11114CFCC5397894
6856powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bsvkvgg3.xjz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6856powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dgfkhqln.a4m.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa5332.45339\host.battext
MD5:714D12CD1811D5FC8F5005F4E636F7F0
SHA256:971840AC9B3CBC90FCBADB0E7D83CAEDE3B7A9E51ACE878C0C81E8F1AB85438E
6296powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_awzrrgyp.0pb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6296powershell.exeC:\Users\admin\AppData\Local\Temp\Nv51FCWqSgzJkPJbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6492powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dqfj3j0n.v4q.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qbt21pcs.udj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6152powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pmu0eogd.2v1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6296powershell.exeC:\Users\admin\AppData\Local\Temp\UVm5gLdz5LEhMJ6sqlite
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
75
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1972
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1972
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1188
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6668
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6668
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
unknown
6296
powershell.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
unknown
4796
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1972
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4400
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
836
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1972
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1972
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1972
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4656
SearchApp.exe
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.189
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.134
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.136
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
gstatic.com
  • 142.250.184.195
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6296
powershell.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
6296
powershell.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2168
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6296
powershell.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/ReaImastercoder69/Nitro-Generator-By-zizrx-/releases/download/Release/NitroCodes.zip