File name:

Nitro.exe

Full analysis: https://app.any.run/tasks/2b960086-5989-40d3-837f-fcb948cd084c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 23:59:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pastebin
discord
evasion
stealer
python
pyinstaller
discordgrabber
generic
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

EA35A8472F27F246FDE70C4C7A16F315

SHA1:

5C5E86E77757278CCB1C4FDE6CFC3053828C18D4

SHA256:

D23AAB6822F83486A792AFB7310912B552E050FEBDD0E92D3DC711A8E054C401

SSDEEP:

98304:3KUNttvTlkE0t7qFBd2zmKxu4CeyfZKZ6ZEdam5lvmuedj6PLfVVR/oLxairZld0:s+5ocd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Nitro.exe (PID: 3640)

    • Steals credentials from Web Browsers

      • Nitro.exe (PID: 3640)

    • DISCORDGRABBER has been detected (YARA)

      • Nitro.exe (PID: 3640)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Nitro.exe (PID: 5084)

    • Executable content was dropped or overwritten

      • Nitro.exe (PID: 5084)

    • Process drops legitimate windows executable

      • Nitro.exe (PID: 5084)

    • Application launched itself

      • Nitro.exe (PID: 5084)

    • The process drops C-runtime libraries

      • Nitro.exe (PID: 5084)

    • Loads Python modules

      • Nitro.exe (PID: 3640)

    • Checks for external IP

      • Nitro.exe (PID: 3640)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Nitro.exe (PID: 3640)

    • Starts CMD.EXE for commands execution

      • Nitro.exe (PID: 3640)

  • INFO

    • Reads the computer name

      • Nitro.exe (PID: 5084)
      • Nitro.exe (PID: 3640)

    • Checks supported languages

      • Nitro.exe (PID: 5084)
      • Nitro.exe (PID: 3640)

    • The sample compiled with english language support

      • Nitro.exe (PID: 5084)

    • Create files in a temporary directory

      • Nitro.exe (PID: 5084)

    • Reads the machine GUID from the registry

      • Nitro.exe (PID: 3640)

    • Checks proxy server information

      • Nitro.exe (PID: 3640)

    • Creates files or folders in the user directory

      • Nitro.exe (PID: 3640)

    • PyInstaller has been detected (YARA)

      • Nitro.exe (PID: 5084)
      • Nitro.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3640) Nitro.exe
Discord-Webhook-Tokens (1)764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Discord-Info-Links
764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Get Webhook Infohttps://discord.com/api/webhooks/764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:08:08 12:28:18+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 135168
InitializedDataSize: 179712
UninitializedDataSize: -
EntryPoint: 0x8654
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
18
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nitro.exe conhost.exe no specs #DISCORDGRABBER nitro.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420C:\WINDOWS\system32\cmd.exe /c title NitrC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1336C:\WINDOWS\system32\cmd.exe /c title Nitro GeC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2072C:\WINDOWS\system32\cmd.exe /c title NitC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2212C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2276C:\WINDOWS\system32\cmd.exe /c title Nitro GeneraC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3108C:\WINDOWS\system32\cmd.exe /c title NiC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3640"C:\Users\admin\Desktop\Nitro.exe" C:\Users\admin\Desktop\Nitro.exe
Nitro.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\nitro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
ims-api
(PID) Process(3640) Nitro.exe
Discord-Webhook-Tokens (1)764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Discord-Info-Links
764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Get Webhook Infohttps://discord.com/api/webhooks/764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
3832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4824C:\WINDOWS\system32\cmd.exe /c title Nitro GenC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4892C:\WINDOWS\system32\cmd.exe /c title Nitro GenC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 052
Read events
5 052
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_hashlib.pydexecutable
MD5:E2F401C211FAB8C5E1517764E9175616
SHA256:76FB36E23B8F6821CAEC61C49F90B194632E68C9C78C9EB1F2E668C1B6383A73
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_bz2.pydexecutable
MD5:E5BA852CB53065389044FE34474A4699
SHA256:690BFD170E038B7B369EB4E4E32621823B1050D895BAE3EF538C6382CDC1B2B0
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_lzma.pydexecutable
MD5:C7BBBAB8B4764C1C2BFD480DC649653C
SHA256:96205C0EFBFBC282D3F4B76F8F2F189A409F365DBE9A9A088351A2906B18CD36
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_ssl.pydexecutable
MD5:A7FADACB8F4FF72A26F1CCBCFCDC33C1
SHA256:B8232C839E99A3701657FE16F245E0AFCA2F269562682EB1A3468C47D07AC5CF
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_socket.pydexecutable
MD5:9F0683EB56D79D33EE3820F1D3504CC2
SHA256:39612C28EEF633EEF7E2E2C83A779FDDA178D043D7AEC0A07890E5D2A11CF4F8
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_ctypes.pydexecutable
MD5:9E18ACA18E4ECE1C187F8C0CD12A5C8F
SHA256:3351627469EA8965B08BAFC9DE18D1D890479357DF6BC8917F7218535E02F211
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\select.pydexecutable
MD5:CF7BD630DB53356C3DFD51CA8822B696
SHA256:5ED33AFC7F63DE065457E0EF0852DE0CC182A7111BD852E855EB9F48451B0E58
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\libssl-1_1-x64.dllexecutable
MD5:0205C08024BF4BB892B9F31D751531A0
SHA256:EBE7FFC7EB0B79E29BFC4E408EA27E9B633584DD7BC8E0B5FFC46AF19263844B
3640Nitro.exeC:\Users\admin\Desktop\Nitro.txttext
MD5:2984BB2BE0B987FCC2B5ABC397A50B38
SHA256:530C9A67319AC458D0CC5D4FFF49898B9A038389D0CDC9CA48FAD255B07FA21E
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\nitro.exe.manifestxml
MD5:4818855F73B865ADAC0EAF7C75C0658B
SHA256:18B99CC6C511459CD049EA7089CBF9557375EF0B13C148B2388E1E3320E09A1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
18
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4168
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4520
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4520
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
Nitro.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared
4
System
192.168.100.255:138
whitelisted
3640
Nitro.exe
172.67.25.94:443
pastebin.com
CLOUDFLARENET
US
whitelisted
3640
Nitro.exe
162.159.136.232:443
discord.com
CLOUDFLARENET
whitelisted
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4168
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared
pastebin.com
  • 172.67.25.94
  • 104.22.69.199
  • 104.22.68.199
whitelisted
discord.com
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.128.233
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.128
  • 40.126.31.1
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.2
  • 40.126.31.67
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3640
Nitro.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2200
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3640
Nitro.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2200
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
3640
Nitro.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nitro.exe