File name:	18-06-2025_gUmEIDW4wUo3Gfy.zip
Full analysis:	https://app.any.run/tasks/e4d459e4-b60d-4a54-8ef1-bdd4ea2206f7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	June 18, 2025, 16:57:51
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	80FF314B769E235A812ECEED02463B39
SHA1:	5B496558C7C7919358CB19C21A9B9FDE87A6CFAC
SHA256:	8F8AF378B387B3E49766215450C51932F0AE0566D8AB88F8EDDB7B08E0984337
SSDEEP:	192:ZUCS0aWJ+tkDStVaGhmPIgTlNV6p3gsZWwePzBhUfRmB+WOET:ZUCS0SfaHdlYQKWwetPT

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:05:23 07:02:28
ZipCRC:	0x995ed311
ZipCompressedSize:	120
ZipUncompressedSize:	146
ZipFileName:	ReadMe.txt


(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\18-06-2025_gUmEIDW4wUo3Gfy.zip
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6584) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1760) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1760) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
5416	VsGraphicsResou‎r‎ces.exe	C:\Windows\security\database\VMProtectSDK64.dll		executable
		MD5:BA5CF8079FA68D90A2E6497D3C5711C1	SHA256:AE22254E2B5C5557F35A170696D53E847018221DCD4CC70C153C36ECDD891F81
1760	firefox.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\msedge[1].exe		executable
		MD5:9EACFCCF5993E8D54120BBF8737EC772	SHA256:8C4CF00EA866D9D520B56AD65EA6582754630F33E94AA94001E71E3ED8382B54
5416	VsGraphicsResou‎r‎ces.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\VMProtectSDK64[1].dll		executable
		MD5:BA5CF8079FA68D90A2E6497D3C5711C1	SHA256:AE22254E2B5C5557F35A170696D53E847018221DCD4CC70C153C36ECDD891F81
1760	firefox.exe	C:\Windows\Prefetch\VsGraphicsResou‎r‎ces.exe		executable
		MD5:9EACFCCF5993E8D54120BBF8737EC772	SHA256:8C4CF00EA866D9D520B56AD65EA6582754630F33E94AA94001E71E3ED8382B54
6584	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6584.24072\18-06-2025_gUmEIDW4wUo3Gfy.zip\ReadMe.txt		text
		MD5:FF372680E95ABE08ED4F38B0516C90C6	SHA256:9B266828DE1B21A40B23ABB2BDAFE18AA94AD3F931FC04E085223423C9B369A7
5416	VsGraphicsResou‎r‎ces.exe	C:\Windows\security\database\svchost.exe		executable
		MD5:651D12BD2E79184A13A73BF05A630F3C	SHA256:02903BD6332267C5408C4A7D882F16CED81406E275A9DAC841B0534B92F0C2A5
6584	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6584.24072\Rar$Scan50012.bat		text
		MD5:275CBFE866E4BDC62270F8C19B642DA9	SHA256:DAFBAE3D4380A566571294106E344BB3CDF225C39B4E9122C2EC09AB481AD851
5416	VsGraphicsResou‎r‎ces.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\monetsches[1].exe		executable
		MD5:651D12BD2E79184A13A73BF05A630F3C	SHA256:02903BD6332267C5408C4A7D882F16CED81406E275A9DAC841B0534B92F0C2A5
1564	MpCmdRun.exe	C:\Users\admin\AppData\Local\Temp\MpCmdRun.log		text
		MD5:54A71587C4F0DDC0078324DA66DFC243	SHA256:A46815CED8E77CD3DD08573E16365993E7845E4BDAFFD537A4C2A90661980E91
6584	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6584.24072\18-06-2025_gUmEIDW4wUo3Gfy.zip\firefox.exe		executable
		MD5:4017098A9CFC58A5194666BA3AD97FC2	SHA256:4657C84913AEFC05A44A6F66943AE6798FC91984F31471E4FBC6595B070FAAB3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6876	RUXIMICS.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6876	RUXIMICS.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	216.198.79.129:443	https://exot1c.vercel.app/kxz-free/idk/msedge.exe	unknown	executable	16.0 Kb	—
—	—	GET	200	64.29.17.129:443	https://exot1c.vercel.app/kxz-free/idk/monetsches.exe	unknown	executable	2.38 Mb	—
—	—	GET	200	216.198.79.129:443	https://exot1c.vercel.app/kxz-free/idk/VMProtectSDK64.dll	unknown	executable	116 Kb	—
2940	svchost.exe	GET	200	2.16.252.233:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6876	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1268	svchost.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
6876	RUXIMICS.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1268	svchost.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
google.com	172.217.18.14	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
exot1c.vercel.app	216.198.79.129 64.29.17.129	unknown
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
x1.c.lencr.org	2.16.252.233	whitelisted
self.events.data.microsoft.com	52.182.143.213	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloud infrastructure to build app (vercel .app)
—	—	Misc activity	ET INFO Observed UA-CPU Header
—	—	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Misc activity	ET INFO EXE - Served Inline HTTP
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Inline HTTP

General Info

18-06-2025_gUmEIDW4wUo3Gfy.zip

80FF314B769E235A812ECEED02463B39

5B496558C7C7919358CB19C21A9B9FDE87A6CFAC

8F8AF378B387B3E49766215450C51932F0AE0566D8AB88F8EDDB7B08E0984337

192:ZUCS0aWJ+tkDStVaGhmPIgTlNV6p3gsZWwePzBhUfRmB+WOET:ZUCS0SfaHdlYQKWwetPT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

INFO

Manual execution by a user

Checks proxy server information

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Checks supported languages

Process checks computer location settings

Reads security settings of Internet Explorer

Create files in a temporary directory

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings