File name:

phaze.exe

Full analysis: https://app.any.run/tasks/d9372224-722e-4dda-8b19-f67346cf723c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 13:29:48
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
trox
stealer
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

EE950F3BA4AE2A65D9EBF44A0EC452C0

SHA1:

5739CFEBEAC1F15DFD41852A35891AB3B7543EF5

SHA256:

0EB46DE1ECD036F7560A72BBEDEAF02F8773CF6137F4C21ABFF1975CDD3D9EB0

SSDEEP:

393216:uLl3lHrofjZ8LC5p4DEaZpN6vEt/NnM1RB577hZ:qfcfFyC58bYvm/d2RBN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • phaze.exe (PID: 2644)
      • phaze.exe (PID: 4560)

  • SUSPICIOUS

    • Process drops python dynamic module

      • phaze.exe (PID: 2644)
      • phaze.exe (PID: 4560)

    • Executable content was dropped or overwritten

      • phaze.exe (PID: 2644)
      • phaze.exe (PID: 4560)

    • Process drops legitimate windows executable

      • phaze.exe (PID: 4560)
      • phaze.exe (PID: 2644)

    • The process drops C-runtime libraries

      • phaze.exe (PID: 4560)
      • phaze.exe (PID: 2644)

    • Loads Python modules

      • phaze.exe (PID: 6440)
      • phaze.exe (PID: 6024)

    • Application launched itself

      • phaze.exe (PID: 4560)
      • phaze.exe (PID: 2644)

    • Reads security settings of Internet Explorer

      • phaze.exe (PID: 2644)
      • phaze.exe (PID: 4560)

    • There is functionality for taking screenshot (YARA)

      • dllhost.exe (PID: 6696)

  • INFO

    • Checks supported languages

      • phaze.exe (PID: 4560)
      • phaze.exe (PID: 2644)
      • phaze.exe (PID: 6440)
      • phaze.exe (PID: 6024)

    • The sample compiled with english language support

      • phaze.exe (PID: 4560)
      • phaze.exe (PID: 2644)

    • Create files in a temporary directory

      • phaze.exe (PID: 4560)
      • phaze.exe (PID: 2644)

    • Reads the computer name

      • phaze.exe (PID: 6440)
      • phaze.exe (PID: 2644)
      • phaze.exe (PID: 6024)
      • phaze.exe (PID: 4560)

    • Manual execution by a user

      • phaze.exe (PID: 2644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:01 17:39:09+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.43
CodeSize: 128000
InitializedDataSize: 34887680
UninitializedDataSize: 163328
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
106
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX phaze.exe phaze.exe no specs dllhost.exe no specs #TROX phaze.exe phaze.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Users\admin\Desktop\phaze.exe" C:\Users\admin\Desktop\phaze.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\phaze.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4560"C:\Users\admin\Desktop\phaze.exe" C:\Users\admin\Desktop\phaze.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\phaze.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6024C:\Users\admin\Desktop\phaze.exeC:\Users\admin\Desktop\phaze.exephaze.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\desktop\phaze.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6440C:\Users\admin\Desktop\phaze.exeC:\Users\admin\Desktop\phaze.exephaze.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\phaze.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6696"C:\Windows\system32\DllHost.exe" /Processid:{B41DB860-64E4-11D2-9906-E49FADC173CA}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
2 126
Read events
2 126
Write events
0
Delete events
0

Modification events

No data
Executable files
178
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\Phaze.dll
MD5:
SHA256:
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_ctypes.pydexecutable
MD5:10FDCF63D1C3C3B7E5861FBB04D64557
SHA256:BC3B83D2DC9E2F0E6386ED952384C6CF48F6EED51129A50DFD5EF6CBBC0A8FB3
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_asyncio.pydexecutable
MD5:2CD68FF636394D3019411611E27D0A3B
SHA256:0D4FBD46F922E548060EA74C95E99DC5F19B1DF69BE17706806760515C1C64FE
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_hashlib.pydexecutable
MD5:F495D1897A1B52A2B15C20DCECB84B47
SHA256:E47E76D70D508B62924FE480F30E615B12FDD7745C0AAC68A2CDDABD07B692AE
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_lzma.pydexecutable
MD5:4E2239ECE266230ECB231B306ADDE070
SHA256:34130D8ABE27586EE315262D69AF4E27429B7EAB1F3131EA375C2BB62CF094BE
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_decimal.pydexecutable
MD5:21C73E7E0D7DAD7A1FE728E3B80CE073
SHA256:A28C543976AA4B6D37DA6F94A280D72124B429F458D0D57B7DBCF71B4BEA8F73
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_bz2.pydexecutable
MD5:C7CE973F261F698E3DB148CCAD057C96
SHA256:02D772C03704FE243C8DE2672C210A5804D075C1F75E738D6130A173D08DFCDE
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_mysql_connector.pydexecutable
MD5:F1B8CF907FA97E48662AE065F60A54B3
SHA256:42BFF3C580DD00E67D0F1E0E91794D73C962E56301BA34D3A08806B9F1684420
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_multiprocessing.pydexecutable
MD5:811BCEE2F4246265898167B103FC699B
SHA256:FB69005B972DC3703F9EF42E8E0FDDF8C835CB91F57EF9B6C66BBDF978C00A8C
4560phaze.exeC:\Users\admin\AppData\Local\Temp\onefile_4560_133949862108580337\_queue.pydexecutable
MD5:6E00E0821BB519333CCFD4E61A83CB38
SHA256:2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
29
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2020
MoUsoCoreWorker.exe
GET
304
2.19.11.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a3900b9aa1408728
unknown
whitelisted
GET
304
2.19.11.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?374cad77f5107e58
unknown
whitelisted
POST
200
2.23.77.188:80
http://ocsp.digicert.com/
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
unknown
whitelisted
POST
200
2.23.77.188:80
http://ocsp.digicert.com/
unknown
whitelisted
2840
svchost.exe
GET
200
2.19.11.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6c478a3cb1f9bc68
unknown
whitelisted
GET
200
13.107.6.156:443
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v1/C2RTargetAudienceData?omid=97560490bafb0d49bca6f8f0df91025d&susid=c408ee57-2103-4c34-9e6f-30bdf6c87e50&audienceFFN=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&tid=&osver=Client%7C10.0.22000&offver=16.0.16626.20134&ring=Production&aud=Production&ch=CC&osarch=x64&manstate=6
unknown
binary
189 b
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAOav%2F2w8K4jHzmTOaTzWTM%3D
unknown
whitelisted
2840
svchost.exe
GET
200
2.19.11.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?979a56df26e925db
unknown
whitelisted
POST
200
20.190.159.4:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
23.55.104.146:80
www.msftconnecttest.com
Akamai International B.V.
US
whitelisted
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
52.168.117.169:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.19.11.178:80
ctldl.windowsupdate.com
Elisa Oyj
NL
whitelisted
2020
MoUsoCoreWorker.exe
2.19.11.178:80
ctldl.windowsupdate.com
Elisa Oyj
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
unknown
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.msftconnecttest.com
  • 23.55.104.146
  • 23.55.104.159
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
v10.events.data.microsoft.com
  • 52.168.117.169
  • 104.208.16.95
whitelisted
google.com
  • 142.250.185.174
whitelisted
ctldl.windowsupdate.com
  • 2.19.11.178
  • 2.19.11.136
  • 208.89.74.19
  • 208.89.74.17
  • 208.89.74.31
  • 208.89.74.21
  • 208.89.74.27
  • 208.89.74.29
  • 208.89.74.23
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
e3913.cd.akamaiedge.net
  • 2.23.77.188
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
phaze.exe