File name:	81b8c10b75fa778de2668ecc94708e5392f77859f58896e7cefdf80390e59768.zip
Full analysis:	https://app.any.run/tasks/3962212f-6d7c-4c3c-b72b-f1b7fc80673e
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	February 14, 2026, 10:20:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-scr susp-powershell loader reverseloader stego payload auto-startup xworm
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	8A4F0D6F6169390C2232200E825773BE
SHA1:	2FF7B2B413CEB6E1E61A53734D418F8872E02E45
SHA256:	81B8C10B75FA778DE2668ECC94708E5392F77859F58896E7CEFDF80390E59768
SSDEEP:	96:ypppppppppppppppppppppppppppppppBppppppppppppppppppppppppppppppD:AC5CTBtBhmShV

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2026:02:14 09:21:42
ZipCRC:	0x51ca2827
ZipCompressedSize:	8261
ZipUncompressedSize:	1534841
ZipFileName:	Agreement Number CEMC-01-26-0354.hta


(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\81b8c10b75fa778de2668ecc94708e5392f77859f58896e7cefdf80390e59768.zip
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(8456) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5440) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5440) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
6152	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:F2D0CDC9352938A0372AC2FE02D6A58F	SHA256:FDE60C3E97009ABFFF561EA6EF1CB5B383AED48ECDEFBA38657397FADF987C9F
6152	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w1e1xrby.ahy.psm1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7684	RegAsm.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bin.lnk		binary
		MD5:66459C01D079EB4F597472F871D266EE	SHA256:F14BC72EA8CCC153EBFF6CCD69DE345D96C6AB3897547A39A71DE477935A7040
8408	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2tth5n5s.ykq.ps1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p0yf5ezc.2hd.ps1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8408	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xyzheabl.anc.psm1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ypak0tki.sod.psm1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7684	RegAsm.exe	C:\Users\admin\AppData\Roaming\bin.exe		binary
		MD5:0AEA1B49AEDB6C7BF4805DD5054DC0F7	SHA256:BD02B877C14DDC1E2DB118F32730B73B2E5AE792A84AC48F28957BEAFF2B83F9
6152	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r5yv0gnl.4xl.ps1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6152	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:44084021F11D398A3EAD7E6151B2848E	SHA256:39EBDE1C6473B6C7EF4642B1916375286637B9F66EC74D51B715F3BB02A4F44F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	212.95.51.38:443	https://teamrising.ae/arquivo_20260214032108.txt	DE	binary	46.0 Kb	unknown
3292	svchost.exe	GET	200	184.30.158.70:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	US	binary	400 b	whitelisted
3292	svchost.exe	GET	200	184.30.158.70:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	401 b	whitelisted
3292	svchost.exe	GET	200	184.30.158.70:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted
—	—	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	—	—	unknown
5208	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	—	512 b	whitelisted
3292	svchost.exe	GET	200	184.30.158.70:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	US	binary	813 b	whitelisted
—	—	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	unknown
3292	svchost.exe	GET	200	184.30.158.70:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	US	binary	813 b	whitelisted
7480	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	—	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.27.98:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	23.53.40.178:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
8068	svchost.exe	23.53.40.178:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8068	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6712	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
www.bing.com	2.16.27.98 2.16.27.74	whitelisted
google.com	172.217.20.142	whitelisted
crl.microsoft.com	23.53.40.178 23.53.41.90	whitelisted
res.cloudinary.com	104.16.79.6 104.16.78.6	whitelisted
teamrising.ae	212.95.51.38	unknown
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.microsoft.com	184.30.158.70	whitelisted
self.events.data.microsoft.com	20.189.173.17	whitelisted

PID	Process	Class	Message
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	A Network Trojan was detected	ET ATTACK_RESPONSE ReverseLoader Base64 Encoded Executable In Image M2
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
—	—	A Network Trojan was detected	ET ATTACK_RESPONSE ReverseLoader Base64 Encoded Executable In Image M1
—	—	Potentially Bad Traffic	PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
—	—	A Network Trojan was detected	ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound
6152	powershell.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6152	powershell.exe	A Network Trojan was detected	ET ATTACK_RESPONSE ReverseLoader Base64 Encoded Executable In Image M2
6152	powershell.exe	A Network Trojan was detected	PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image

General Info

81b8c10b75fa778de2668ecc94708e5392f77859f58896e7cefdf80390e59768.zip

8A4F0D6F6169390C2232200E825773BE

2FF7B2B413CEB6E1E61A53734D418F8872E02E45

81B8C10B75FA778DE2668ECC94708E5392F77859F58896E7CEFDF80390E59768

96:ypppppppppppppppppppppppppppppppBppppppppppppppppppppppppppppppD:AC5CTBtBhmShV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Run PowerShell with an invisible window

Downloads the requested resource (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

REVERSELOADER has been detected (SURICATA)

Execute application with conhost.exe as parent process

XWORM has been detected (YARA)

Create files in the Startup directory

Changes powershell execution policy (Bypass)

SUSPICIOUS

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Uses base64 encoding (POWERSHELL)

Possibly malicious use of IEX has been detected

Contacting a server suspected of hosting an Exploit Kit

Likely accesses (executes) a file from the Public directory

Bypass execution policy to execute commands

Downloads file from URI via Powershell

The process executes via Task Scheduler

Hides errors and continues executing the command without stopping

Starts process via Powershell

INFO

Drops script file

Manual execution by a user

Reads Internet Explorer settings

Uses string replace method (POWERSHELL)

User-Agent configuration (POWERSHELL)

Found Base64 encoded reflection usage via PowerShell (YARA)

Reads the machine GUID from the registry

Found Base64 encoded text manipulation via PowerShell (YARA)

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Launching a file from the Startup directory

Checks proxy server information

Script raised an exception (POWERSHELL)

Disables trace logs

Converts byte array into ASCII string (POWERSHELL)

Uses string split method (POWERSHELL)

Malware configuration

XWorm

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm