Malware analysis Nitro.zip Malicious activity | ANY.RUN

Add for printing

File name:	Nitro.zip
Full analysis:	https://app.any.run/tasks/4d599ff3-575b-4cd7-8111-a2053725dc1e
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 08:16:53
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto nitro arch-exec stealer discord exfiltration evasion ims-api generic ransomware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	EC13587939BC2FE1B1CAA23529674C23
SHA1:	5B5945A9ACCE3826F07497BD7F5B8EC9F1722552
SHA256:	A8C411D150004F5BCEDBD71CB508DC279DA42F1A3308436B2B5DB6529B0B9119
SSDEEP:	768:REBJNkGahZWnv6xpFkVLd7z4FRcMrusQTaG8O6AT4BkkzlFN0zvt:OvmHZkve4+i9TYWT4+GFN0rt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- NITRO has been found (auto)
  - WinRAR.exe (PID: 6176)
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Generic archive extractor
  - WinRAR.exe (PID: 6176)
- Steals credentials from Web Browsers
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Changes the autorun value in the registry
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Actions looks like stealing of personal data
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Stealers network behavior
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Attempting to use instant messaging service
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- RANSOMWARE has been detected
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
SUSPICIOUS
- Executable content was dropped or overwritten
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Starts CMD.EXE for commands execution
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 6796)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 4760)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Checks for external IP
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- The process connected to a server suspected of theft
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6176)
- Launching a file from a Registry key
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Reads the computer name
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Manual execution by a user
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
  - WINWORD.EXE (PID: 4708)
- Checks supported languages
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Create files in a temporary directory
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Disables trace logs
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 4760)
- Checks proxy server information
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
  - slui.exe (PID: 3196)
- Reads the machine GUID from the registry
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
- Reads the software policy settings
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)
  - slui.exe (PID: 3196)
- Creates files or folders in the user directory
  - a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe (PID: 7056)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

ims-api

(PID) Process(7056) a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe

Discord-Webhook-Tokens (1)1373935940812144671/9TLvrL8iD3R6Lvb4BfXhO6WqACwmypO93gNi0FnSattCxDhIKmWbkD5fxMa9_5BqHtX0

Discord-Info-Links

1373935940812144671/9TLvrL8iD3R6Lvb4BfXhO6WqACwmypO93gNi0FnSattCxDhIKmWbkD5fxMa9_5BqHtX0

Get Webhook Infohttps://discord.com/api/webhooks/1373935940812144671/9TLvrL8iD3R6Lvb4BfXhO6WqACwmypO93gNi0FnSattCxDhIKmWbkD5fxMa9_5BqHtX0

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2025:06:21 08:00:42
ZipCRC:	0x7ab4424d
ZipCompressedSize:	25656
ZipUncompressedSize:	62976
ZipFileName:	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

153

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

420

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "A6CF5917-05C6-4AD5-90B3-169AB3F7308E" "E6E3F1D0-CB1D-43BB-817F-B172FE307AD5" "4708"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Exit code:

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2168

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2620

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3196

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4708

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\sectorfrom.rtf" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Exit code:

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\rpcrt4.dll

4760

wmic csproduct get uuid

C:\Windows\SysWOW64\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6176

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Nitro.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6796

"cmd.exe"

C:\Windows\SysWOW64\cmd.exe

—

a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7056

"C:\Users\admin\Desktop\a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe"

C:\Users\admin\Desktop\a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

NitroRansomware

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

ims-api

(PID) Process(7056) a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe

Discord-Webhook-Tokens (1)1373935940812144671/9TLvrL8iD3R6Lvb4BfXhO6WqACwmypO93gNi0FnSattCxDhIKmWbkD5fxMa9_5BqHtX0

Discord-Info-Links

1373935940812144671/9TLvrL8iD3R6Lvb4BfXhO6WqACwmypO93gNi0FnSattCxDhIKmWbkD5fxMa9_5BqHtX0

Get Webhook Infohttps://discord.com/api/webhooks/1373935940812144671/9TLvrL8iD3R6Lvb4BfXhO6WqACwmypO93gNi0FnSattCxDhIKmWbkD5fxMa9_5BqHtX0

Add for printing

Total events

11 149

Read events

10 836

Write events

289

Delete events

Modification events


(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Nitro.zip
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6176) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Documents\brownafrican.rtf.givemenitro		binary
		MD5:4ADB74156E4A3C278A77E07A734D5A1A	SHA256:2ABB7274BF7CAD8B6E03B469C1CBCA0F5D0C0DBC7DD4C14564805D53EC238D07
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\AppData\Local\Temp\a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe		executable
		MD5:E9C9CB2DDC4E64343FC6E4E514C8B5C2	SHA256:A0570660E7E0A9F97C0B7F5928EC4B2CA4332054A34EB4432D0B986B326CB81A
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Documents\OneNote Notebooks\My Notebook\Quick Notes.one.givemenitro		binary
		MD5:0167D60044811B1C5AC6488A1C92E013	SHA256:79EFFB844020AACDD2B5BCA5661ADD75A0F2EC7086BDAE71A0422AB54AD5BF8A
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Documents\Outlook Files\Outlook.pst.givemenitro		binary
		MD5:F0F3B1B1FCE238029FC0864D719E0016	SHA256:6B2F6D216966A00A23714AA3110846FA23B532BE6606CC2FFBEC1E4618813E40
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Documents\Outlook Files\Outlook1.pst.givemenitro		binary
		MD5:3E66C6AB2222E569EA62966A0283C090	SHA256:BF322668321ECDBC13F77013786D9B934D25471E7BDD45F847B193039999DE32
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Pictures\tomoption.png.givemenitro		binary
		MD5:0C93B9360062EE61926B5356D86EC62B	SHA256:963C85B8F255DB7C8D92DA68CEBE660754DEC526F935BFE4E34B918FDB72A537
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Desktop\a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe.givemenitro		binary
		MD5:59F5000F338C94D0BB512EA52A4353A3	SHA256:C7CB6CDAF59FF0BE9FDB4CA0CAFC3FCE34900491E53B178C0B9FB9487ADDB1C5
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Documents\Database1.accdb.givemenitro		binary
		MD5:EC72E4F3FC6B130AF1AD6656FEDC6E99	SHA256:8AEFEE6ABB52D1425C441B9963CA60B2BA28AA7270E7BF2B7E6AA462DB5C683F
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	C:\Users\admin\Pictures\audiomature.jpg.givemenitro		binary
		MD5:ECF1877E25D943F0E798F2AD9E29416E	SHA256:8FE94FE5F6E21CC65CCCB0D98E1E45447BBDC6907182DD0D2773385BEB74245A
6176	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6176.14778\a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe		executable
		MD5:E9C9CB2DDC4E64343FC6E4E514C8B5C2	SHA256:A0570660E7E0A9F97C0B7F5928EC4B2CA4332054A34EB4432D0B986B326CB81A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1688	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.24.77.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1128	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1128	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2940	svchost.exe	GET	200	23.209.209.135:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
6776	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
4708	WINWORD.EXE	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
4708	WINWORD.EXE	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6876	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2336	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1688	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1688	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	184.24.77.10:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.2 20.190.160.64 40.126.32.140 20.190.160.66 20.190.160.130 40.126.32.68 20.190.160.5 20.190.160.3 40.126.31.69 20.190.159.64 40.126.31.67 20.190.159.0 40.126.31.71 20.190.159.2 20.190.159.129 40.126.31.129	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
crl.microsoft.com	184.24.77.10 184.24.77.7 184.24.77.16 184.24.77.6 184.24.77.9 184.24.77.11 184.24.77.8 184.24.77.12 184.24.77.15	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
nexusrules.officeapps.live.com	52.111.243.31	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
2200	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7056	a0570660e7e0a9f97c0b7f5928ec4b2ca4332054a34eb4432d0b986b326cb81a.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

Nitro.zip

EC13587939BC2FE1B1CAA23529674C23

5B5945A9ACCE3826F07497BD7F5B8EC9F1722552

A8C411D150004F5BCEDBD71CB508DC279DA42F1A3308436B2B5DB6529B0B9119

768:REBJNkGahZWnv6xpFkVLd7z4FRcMrusQTaG8O6AT4BkkzlFN0zvt:OvmHZkve4+i9TYWT4+GFN0rt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

NITRO has been found (auto)

Generic archive extractor

Steals credentials from Web Browsers

Changes the autorun value in the registry

Actions looks like stealing of personal data

Stealers network behavior

Attempting to use instant messaging service

RANSOMWARE has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Possible usage of Discord/Telegram API has been detected (YARA)

Checks for external IP

The process connected to a server suspected of theft

INFO

Executable content was dropped or overwritten

Launching a file from a Registry key

Reads the computer name

Manual execution by a user

Checks supported languages

Create files in a temporary directory

Disables trace logs

Reads security settings of Internet Explorer

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

ims-api

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

ims-api

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests