redline | hxxps://bit[.]ly/32QWty2

Analysis

max time kernel
299s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-02-2025 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/32QWty2

Score

10^/10

redline defense_evasion discovery infostealer trojan

Malware Config

Extracted

Family

redline

185.223.92.157:44160

Attributes

auth_value
4e5c6e2ba7063e715c19d342d7f1bcc9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nitroheck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nitroheck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nitroheck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nitroheck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nitroheck.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nitroheck.exe

Executes dropped EXE 5 IoCs

pid	Process
3304	nitroheck.exe
1116	nitroheck.exe
2732	nitroheck.exe
4860	nitroheck.exe
3768	nitroheck.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nitroheck.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nitroheck.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitroheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitroheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitroheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitroheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitroheck.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc3653aee275db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031b851ade275db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbbc9aaee275db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c29855aee275db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1a141afe275db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\nitroheck.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3488	msedge.exe
3488	msedge.exe
492	msedge.exe
492	msedge.exe
768	identity_helper.exe
768	identity_helper.exe
616	msedge.exe
616	msedge.exe
2764	msedge.exe
2764	msedge.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3452	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	3132	7zG.exe
Token: 35	3132	7zG.exe
Token: SeSecurityPrivilege	3132	7zG.exe
Token: SeSecurityPrivilege	3132	7zG.exe
Token: 33	3764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3764	SearchIndexer.exe
Token: SeDebugPrivilege	3452	taskmgr.exe
Token: SeSystemProfilePrivilege	3452	taskmgr.exe
Token: SeCreateGlobalPrivilege	3452	taskmgr.exe
Token: SeSecurityPrivilege	3452	taskmgr.exe
Token: SeTakeOwnershipPrivilege	3452	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
3132	7zG.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 3324	492	msedge.exe	77
PID 492 wrote to memory of 3324	492	msedge.exe	77
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 4344	492	msedge.exe	78
PID 492 wrote to memory of 3488	492	msedge.exe	79
PID 492 wrote to memory of 3488	492	msedge.exe	79
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80
PID 492 wrote to memory of 3608	492	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bit.ly/32QWty2
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefa833cb8,0x7ffefa833cc8,0x7ffefa833cd8
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,325675347841648702,6383955047218396286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\nitroheck\" -ad -an -ai#7zMap20173:80:7zEvent24023
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3132

C:\Users\Admin\Downloads\nitroheck\nitroheck.exe
"C:\Users\Admin\Downloads\nitroheck\nitroheck.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3304

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3764
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2736 2732 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:2980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2764 2572 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  - Modifies data under HKEY_USERS
  PID:4612

C:\Users\Admin\Downloads\nitroheck\nitroheck.exe
"C:\Users\Admin\Downloads\nitroheck\nitroheck.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:1116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4432

C:\Users\Admin\Downloads\nitroheck\nitroheck.exe
"C:\Users\Admin\Downloads\nitroheck\nitroheck.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2732

C:\Users\Admin\Downloads\nitroheck\nitroheck.exe
"C:\Users\Admin\Downloads\nitroheck\nitroheck.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:4860

C:\Users\Admin\Downloads\nitroheck\nitroheck.exe
"C:\Users\Admin\Downloads\nitroheck\nitroheck.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
0c6990e14de68832c34dfbda3caeedfd

SHA1
9e3f997d249eed64233a30e6747db306376931d0

SHA256
3c4dcbee8bb9f04caeacae4b568a37603010c2e5ba56bd0cc3123f229f72a777

SHA512
49b6613f712e171916f066602776a1e595838fc839c7015890ef646c83ae715bd7f2486c2a4f45631ac8ce3df52a8a1bdf5dfbbcc87d105adea3844d39690399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
0057c91ac67a79b832c2735737fbb2db

SHA1
9ad7c1d8b6cce4ba647dba7cfc5eaff592c29898

SHA256
6375afef61e6823493861767f51c85c4c25b3ca551967b08ee8eb07a03126606

SHA512
38d2cb64f639871516df7fa8da5f77c1844a80c5367aa9a361c42650a610dd50f440d80f0bac393799cf87689459e97f550d0ecdad4dd6c8c220542c66184aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d275b1f11132279d0a99ecaa6265189

SHA1
fbed0624ec6a788b869f05f9a0ff6dff8c0eb7da

SHA256
f3d998a5956afaec6052416d663424fa5dd39b4389c5bacd65ebc2b404b47fc1

SHA512
19287a02949841d2dc4b9214a02a75307da09c5ff2122f92dd5dd13a64ed4ebbaa284ab1474c9baf863110455514b999778a0b858c76dc6761f9ad52009a64a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9b4ea29bf72071e1efb988de04605d68

SHA1
b718505c3bc97bc0cd40a89b20c3219197720a8d

SHA256
fc8c9e6708f9285f5678bb395aa4c4df83b8fb2865a544c7bac68b8934fffb23

SHA512
2b24e4915d1df4474cf2133075a043fda1af3813abe06fd5c486209c2039f3e3eb2963b86d121ce2de6842a2ddba05d98844d35b74e0efe52c1672e0a0d3f7e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dba4ea285d553caa9acd1f50e312b2fc

SHA1
3e183c5bdf61461f15dddc7d54fde64ec8cabac5

SHA256
bbfe666f3707922c8feee7b2638a3b72201d4ae9b69b465ec4c0f32dc0abd311

SHA512
d6a80d73d2b3d0a98416b9b0cb0ad8f0fbf4f49c8aa5797b530cc304cff36e3f1d41a407e1bd9389fb31b953ba9ec4fc91c1456da6b1bee53f76698743659cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
db8009f7d9afb9351ea7bea8683c472a

SHA1
2e3f44ebad7c917a1d46d9f38646e5867f6fabc1

SHA256
eabc31f53ccab37edca4027f4f8da89a4386105a8e9b72d20b24e24ab8a25a67

SHA512
fcd238d24621119b4518051c920bacdcfaf1e68a4e49890af0a4f0bfc317ed93fe39e9efc0f7284535cf98cb1be5bf8d5154e56bb70b199bfb06d0bf983964b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
706ba6ca3b7af93707d11c427c04a1c9

SHA1
629ab7fdd8145e128316060a261d58079f366518

SHA256
2606dddaddd2e31e7d8aced9bb2f36daa3faf754aabde5ed85b1ecb32354af0a

SHA512
99ea6ad393b463dedf486c6f6d7d287b1c198f305257920a7b12f4b1137b8bf1ad0e52d4a5a4ef8dd8696da1af4eed2654e576f493806dc978233c281b2495ea

Download Submit
C:\Users\Admin\Downloads\nitroheck.zip

Filesize
1.5MB

MD5
31b93a071269edc41f30c5e154211375

SHA1
6fe56e3b9c965ea689a63139bf7c4b5d44c3341d

SHA256
87ed1ec85606e7c2c7719748b02d1cfa4d1085b16cbc425cc39d66f758cc69af

SHA512
ad08c9317d7738e04497d2659af9e055e0cc787f91123f368b8e7420dafef50057f1b85c0058fa73e3b1a2e46339f801d56fac71eeeff77c8aaf2d6a69cfe27e

Download Submit
C:\Users\Admin\Downloads\nitroheck.zip:Zone.Identifier

Filesize
312B

MD5
184094a7e10a552f8beda4d5bdf28eb0

SHA1
73a9fee7e613d91e56066de17aa435ba5a6958da

SHA256
00b22c32bb7585435f67384bfe64c98cc05e20adafd4cf43744d44982c40f298

SHA512
6bf260e57db0144a53dadc879df7539a9f437c26125c89701592033907af3cdbd950a7cd8d749a2a0fa165e6659188e78e2ef20a8c9086b89f49a0a6c4290402

Download Submit
C:\Users\Admin\Downloads\nitroheck\nitroheck.exe

Filesize
1.5MB

MD5
7af4a0897910180b7797fe648265c257

SHA1
c31c4989fb12a92d69cad0c03beba85bdde85e6f

SHA256
4861d94e0807108c7852a9456799afef088c5bef126b8e57ddf5c030d58bcff4

SHA512
c819aa6574916dccb92142f37ef32d3e80a83d9b0cdc90c717317c24f048fab898588b30fd9177acb1a9afa53ed004ea01af4f3759bd9461311e174525d8582f

Download Submit
C:\Users\Admin\Downloads\nitroheck\pass - 123.txt

Filesize
14B

MD5
2fc7149113d23a77e53d8fefe3dba5cc

SHA1
95f0fc81843b590b11536afa4b6674200b49091c

SHA256
13222555f88b355cfcff7ee3cd108cf31ac34bc7e275e2b74c04d7384f2fd36c

SHA512
b9478ddf96bd00d4cf08979c4d5d61d3da7c816a66d4fa2c74a4ca68a86d7b61dee4d87cd02d3273f56c0c9bc1867d0b93272b21976a6ea950cb683b0cec1e27

Download Submit
memory/1116-370-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/1116-372-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/1116-371-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2732-492-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2732-490-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2980-380-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-386-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-400-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-399-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-398-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-397-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-396-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-392-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-373-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-374-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-375-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-376-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-378-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-377-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-379-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-381-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-383-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-384-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-385-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-388-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-387-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-393-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-382-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-395-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-394-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-390-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/2980-391-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/3304-324-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/3304-323-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/3304-330-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3304-327-0x0000000006570000-0x0000000006582000-memory.dmp

Filesize
72KB

Download
memory/3304-328-0x0000000006590000-0x000000000669A000-memory.dmp

Filesize
1.0MB

Download
memory/3304-329-0x00000000066A0000-0x00000000066DC000-memory.dmp

Filesize
240KB

Download
memory/3304-326-0x0000000005EB0000-0x00000000064C8000-memory.dmp

Filesize
6.1MB

Download
memory/3304-325-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/3764-364-0x0000027E6C080000-0x0000027E6C088000-memory.dmp

Filesize
32KB

Download
memory/3764-348-0x0000027E67AC0000-0x0000027E67AD0000-memory.dmp

Filesize
64KB

Download
memory/3764-332-0x0000027E67890000-0x0000027E678A0000-memory.dmp

Filesize
64KB

Download
memory/3768-506-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/3768-508-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/4860-501-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download