Malware analysis Nitro Generator Version Basic.zip Malicious activity

Add for printing

File name:	Nitro Generator Version Basic.zip
Full analysis:	https://app.any.run/tasks/772f0a08-e11b-4717-ab53-3444d87eb7a1
Verdict:	Malicious activity
Analysis date:	July 28, 2024, 14:28:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python discord
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	63A74FB44329355FD2F0887D31AB1F84
SHA1:	519BF3C33D6F447F4471D906ADA6B91F3FB8BBE9
SHA256:	91BF6EDCF467BFBFC2F6B2BF0800CBAEAAFB5F67413175C1DB270893AAA22693
SSDEEP:	98304:xnjcuwMUB8EWJsEjk/Rv4VTcBtm0epG5UuIZ+/CRgLOI+Z7UVb0VP6kdLgYug/HP:mVy/R1Mjm6y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 4128)
  - main.exe (PID: 2456)
SUSPICIOUS
- Executable content was dropped or overwritten
  - main.exe (PID: 2456)
- Process drops python dynamic module
  - main.exe (PID: 2456)
- The process drops C-runtime libraries
  - main.exe (PID: 2456)
- Process drops legitimate windows executable
  - main.exe (PID: 2456)
- Starts CMD.EXE for commands execution
  - main.exe (PID: 1468)
- Loads Python modules
  - main.exe (PID: 1468)
- Application launched itself
  - main.exe (PID: 2456)
INFO
- Checks supported languages
  - main.exe (PID: 2456)
  - main.exe (PID: 1468)
- Reads the computer name
  - main.exe (PID: 2456)
  - main.exe (PID: 1468)
- Manual execution by a user
  - main.exe (PID: 2456)
  - notepad++.exe (PID: 3588)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4128)
- Checks proxy server information
  - main.exe (PID: 1468)
  - slui.exe (PID: 5080)
- Create files in a temporary directory
  - main.exe (PID: 2456)
- Reads the software policy settings
  - slui.exe (PID: 5080)
- Attempting to use instant messaging service
  - main.exe (PID: 1468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:06:28 17:05:16
ZipCRC:	0xb3927ee5
ZipCompressedSize:	15096
ZipUncompressedSize:	39902
ZipFileName:	Invalid Nitro Codes.txt

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

161

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1468

"C:\Users\admin\Desktop\main.exe"

C:\Users\admin\Desktop\main.exe

main.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1516

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1780

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

2112

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

2456

"C:\Users\admin\Desktop\main.exe"

C:\Users\admin\Desktop\main.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2692

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

2736

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

2952

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

3588

"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\main.exe"

C:\Program Files\Notepad++\notepad++.exe

explorer.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

MEDIUM

Description:

Notepad++ : a free (GNU) source code editor

Exit code:

Version:

7.91

Modules

Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll

3992

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

—

main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

5 223

Read events

5 215

Write events

Delete events

Modification events


(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Nitro Generator Version Basic.zip
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4128) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_lzma.pyd		executable
		MD5:E5ABC3A72996F8FDE0BCF709E6577D9D	SHA256:1796038480754A680F33A4E37C8B5673CC86C49281A287DC0C5CAE984D0CB4BB
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_bz2.pyd		executable
		MD5:3859239CED9A45399B967EBCE5A6BA23	SHA256:A4DD883257A7ACE84F96BCC6CD59E22D843D0DB080606DEFAE32923FC712C75A
4128	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4128.26048\main.exe		executable
		MD5:F86F95B0461005E3569C398654477583	SHA256:D3099B3935E4C03F83FCCBA2AAA7A5E1799DB64DFB8D8CAE53FA0D418DDA20A9
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_decimal.pyd		executable
		MD5:65B4AB77D6C6231C145D3E20E7073F51	SHA256:93EB9D1859EDCA1C29594491863BF3D72AF70B9A4240E0D9DD171F668F4F8614
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_cffi_backend.cp311-win_amd64.pyd		executable
		MD5:210DEF84BB2C35115A2B2AC25E3FFD8F	SHA256:59767B0918859BEDDF28A7D66A50431411FFD940C32B3E8347E6D938B60FACDF
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_ctypes.pyd		executable
		MD5:BD36F7D64660D120C6FB98C8F536D369	SHA256:EE543453AC1A2B9B52E80DC66207D3767012CA24CE2B44206804767F37443902
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_hashlib.pyd		executable
		MD5:4255C44DC64F11F32C961BF275AAB3A2	SHA256:E557873D5AD59FD6BD29D0F801AD0651DBB8D9AC21545DEFE508089E92A15E29
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\VCRUNTIME140.dll		executable
		MD5:4585A96CC4EEF6AAFD5E27EA09147DC6	SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_socket.pyd		executable
		MD5:1EEA9568D6FDEF29B9963783827F5867	SHA256:74181072392A3727049EA3681FE9E59516373809CED53E08F6DA7C496B76E117
2456	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI24562\_queue.pyd		executable
		MD5:F00133F7758627A15F2D98C034CF1657	SHA256:35609869EDC57D806925EC52CCA9BC5A035E30D5F40549647D4DA6D7983F8659

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
4132	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
3720	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	95.100.146.27:443	www.bing.com	Akamai International B.V.	CZ	unknown
6572	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
484	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6012	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1292	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
720	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	95.100.146.27 95.100.146.17 95.100.146.32 95.100.146.40 95.100.146.35 95.100.146.33 95.100.146.25 2.23.209.171 2.23.209.160 2.23.209.168 2.23.209.169 2.23.209.167 2.23.209.161 2.23.209.166 2.23.209.162 2.23.209.175 2.23.209.145 2.23.209.136 2.23.209.139 2.23.209.148 2.23.209.149 2.23.209.193 2.23.209.135 2.23.209.192 2.23.209.143	whitelisted
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.184.238	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.60	whitelisted
login.live.com	20.190.160.17 40.126.32.140 40.126.32.133 40.126.32.74 40.126.32.138 20.190.160.20 40.126.32.136 40.126.32.76	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

PID	Process	Class	Message
1468	main.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2284	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)

Add for printing

Process	Message
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

Nitro Generator Version Basic.zip

63A74FB44329355FD2F0887D31AB1F84

519BF3C33D6F447F4471D906ADA6B91F3FB8BBE9

91BF6EDCF467BFBFC2F6B2BF0800CBAEAAFB5F67413175C1DB270893AAA22693

98304:xnjcuwMUB8EWJsEjk/Rv4VTcBtm0epG5UuIZ+/CRgLOI+Z7UVb0VP6kdLgYug/HP:mVy/R1Mjm6y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

The process drops C-runtime libraries

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Loads Python modules

Application launched itself

INFO

Checks supported languages

Reads the computer name

Manual execution by a user

Executable content was dropped or overwritten

Checks proxy server information

Create files in a temporary directory

Reads the software policy settings

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings