File name:

Nitro.exe

Full analysis: https://app.any.run/tasks/2b960086-5989-40d3-837f-fcb948cd084c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 23:59:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pastebin
discord
evasion
stealer
python
pyinstaller
discordgrabber
generic
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

EA35A8472F27F246FDE70C4C7A16F315

SHA1:

5C5E86E77757278CCB1C4FDE6CFC3053828C18D4

SHA256:

D23AAB6822F83486A792AFB7310912B552E050FEBDD0E92D3DC711A8E054C401

SSDEEP:

98304:3KUNttvTlkE0t7qFBd2zmKxu4CeyfZKZ6ZEdam5lvmuedj6PLfVVR/oLxairZld0:s+5ocd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Nitro.exe (PID: 3640)

    • Steals credentials from Web Browsers

      • Nitro.exe (PID: 3640)

    • DISCORDGRABBER has been detected (YARA)

      • Nitro.exe (PID: 3640)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Nitro.exe (PID: 5084)

    • The process drops C-runtime libraries

      • Nitro.exe (PID: 5084)

    • Process drops python dynamic module

      • Nitro.exe (PID: 5084)

    • Application launched itself

      • Nitro.exe (PID: 5084)

    • Executable content was dropped or overwritten

      • Nitro.exe (PID: 5084)

    • Loads Python modules

      • Nitro.exe (PID: 3640)

    • Checks for external IP

      • Nitro.exe (PID: 3640)

    • Starts CMD.EXE for commands execution

      • Nitro.exe (PID: 3640)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Nitro.exe (PID: 3640)

  • INFO

    • Create files in a temporary directory

      • Nitro.exe (PID: 5084)

    • Checks supported languages

      • Nitro.exe (PID: 5084)
      • Nitro.exe (PID: 3640)

    • Reads the computer name

      • Nitro.exe (PID: 5084)
      • Nitro.exe (PID: 3640)

    • The sample compiled with english language support

      • Nitro.exe (PID: 5084)

    • Checks proxy server information

      • Nitro.exe (PID: 3640)

    • Reads the machine GUID from the registry

      • Nitro.exe (PID: 3640)

    • Creates files or folders in the user directory

      • Nitro.exe (PID: 3640)

    • PyInstaller has been detected (YARA)

      • Nitro.exe (PID: 5084)
      • Nitro.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3640) Nitro.exe
Discord-Webhook-Tokens (1)764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Discord-Info-Links
764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Get Webhook Infohttps://discord.com/api/webhooks/764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:08:08 12:28:18+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 135168
InitializedDataSize: 179712
UninitializedDataSize: -
EntryPoint: 0x8654
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
18
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nitro.exe conhost.exe no specs #DISCORDGRABBER nitro.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420C:\WINDOWS\system32\cmd.exe /c title NitrC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1336C:\WINDOWS\system32\cmd.exe /c title Nitro GeC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2072C:\WINDOWS\system32\cmd.exe /c title NitC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2212C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2276C:\WINDOWS\system32\cmd.exe /c title Nitro GeneraC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3108C:\WINDOWS\system32\cmd.exe /c title NiC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3640"C:\Users\admin\Desktop\Nitro.exe" C:\Users\admin\Desktop\Nitro.exe
Nitro.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\nitro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
ims-api
(PID) Process(3640) Nitro.exe
Discord-Webhook-Tokens (1)764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Discord-Info-Links
764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
Get Webhook Infohttps://discord.com/api/webhooks/764820862905614356/-pbcT1V0qzpJylrjVHB_Jg4RJmCmI1Rz3WeFRPfwzjXc4gRWNGEpQp5VQlCxdw8jP9ki
3832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4824C:\WINDOWS\system32\cmd.exe /c title Nitro GenC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4892C:\WINDOWS\system32\cmd.exe /c title Nitro GenC:\Windows\System32\cmd.exeNitro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 052
Read events
5 052
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\libssl-1_1-x64.dllexecutable
MD5:0205C08024BF4BB892B9F31D751531A0
SHA256:EBE7FFC7EB0B79E29BFC4E408EA27E9B633584DD7BC8E0B5FFC46AF19263844B
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_lzma.pydexecutable
MD5:C7BBBAB8B4764C1C2BFD480DC649653C
SHA256:96205C0EFBFBC282D3F4B76F8F2F189A409F365DBE9A9A088351A2906B18CD36
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_socket.pydexecutable
MD5:9F0683EB56D79D33EE3820F1D3504CC2
SHA256:39612C28EEF633EEF7E2E2C83A779FDDA178D043D7AEC0A07890E5D2A11CF4F8
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\libcrypto-1_1-x64.dllexecutable
MD5:8C75BCA5EA3BEA4D63F52369E3694D01
SHA256:8513E629CD85A984E4A30DFE4B3B7502AB87C8BC920825C11035718CB0211EA0
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_hashlib.pydexecutable
MD5:E2F401C211FAB8C5E1517764E9175616
SHA256:76FB36E23B8F6821CAEC61C49F90B194632E68C9C78C9EB1F2E668C1B6383A73
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\unicodedata.pydexecutable
MD5:D009552163B6A795E0816EA5CE4928CE
SHA256:5938061557E920E925A4E9B31F950B6D25C5FF10E143FE8E1F773466810CE2A2
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\_ssl.pydexecutable
MD5:A7FADACB8F4FF72A26F1CCBCFCDC33C1
SHA256:B8232C839E99A3701657FE16F245E0AFCA2F269562682EB1A3468C47D07AC5CF
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\python37.dllexecutable
MD5:D558D4DB5A6BD29A8B60B8AA46E5329A
SHA256:1CFDD40A9107D89310E4E3B6DF5F25F26944B312E61638D014F1B1A8050CCC07
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\select.pydexecutable
MD5:CF7BD630DB53356C3DFD51CA8822B696
SHA256:5ED33AFC7F63DE065457E0EF0852DE0CC182A7111BD852E855EB9F48451B0E58
5084Nitro.exeC:\Users\admin\AppData\Local\Temp\_MEI50842\VCRUNTIME140.dllexecutable
MD5:0E675D4A7A5B7CCD69013386793F68EB
SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
18
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4520
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4168
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4520
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
Nitro.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared
4
System
192.168.100.255:138
whitelisted
3640
Nitro.exe
172.67.25.94:443
pastebin.com
CLOUDFLARENET
US
whitelisted
3640
Nitro.exe
162.159.136.232:443
discord.com
CLOUDFLARENET
whitelisted
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4168
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared
pastebin.com
  • 172.67.25.94
  • 104.22.69.199
  • 104.22.68.199
whitelisted
discord.com
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.128.233
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.128
  • 40.126.31.1
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.2
  • 40.126.31.67
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3640
Nitro.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2200
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3640
Nitro.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2200
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
3640
Nitro.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nitro.exe