download:

/attachments/1345706178298249280/1345707592672083989/zapret-discord-youtube-1.6.2.zip

Full analysis: https://app.any.run/tasks/795b21e2-eb31-4da0-bd12-a5363e943621
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 02, 2025, 10:51:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
remote
xworm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

760E66113DC39211EF1776D0B156832F

SHA1:

B687F4314BC0AF95B67FE474E7D6D97E852440EA

SHA256:

3005389CD72A7CE236877FBA77447CB1417A8BB3B224EE94A79F6E4DA0C77880

SSDEEP:

49152:RabJ/3erPr/+uYwuRYfq6FBvna0+OYh9pphPdJKuExmCXwNJrMCaQrkTcNODj9qo:RWve3/xPYYva7h3z/Es3NWCvrkYw9V1j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 6656)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 6728)

    • Changes powershell execution policy (Bypass)

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Adds path to the Windows Defender exclusion list

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Changes the autorun value in the registry

      • zapret-debuger.exe (PID: 4172)

    • Create files in the Startup directory

      • zapret-debuger.exe (PID: 4172)

    • XWORM has been detected (SURICATA)

      • zapret-debuger.exe (PID: 4172)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 6656)

    • Application launched itself

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6652)
      • cmd.exe (PID: 7444)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6148)
      • sc.exe (PID: 7576)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6652)
      • cmd.exe (PID: 7444)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7456)
      • cmd.exe (PID: 7324)
      • winws.exe (PID: 7792)
      • cmd.exe (PID: 8168)
      • winws.exe (PID: 8000)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Hides command output

      • cmd.exe (PID: 7324)

    • Executable content was dropped or overwritten

      • winws.exe (PID: 7792)
      • zapret-debuger.exe (PID: 4172)

    • Reads the date of Windows installation

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Script adds exclusion path to Windows Defender

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Reads security settings of Internet Explorer

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Connects to unusual port

      • zapret-debuger.exe (PID: 4172)

    • Contacting a server suspected of hosting an CnC

      • zapret-debuger.exe (PID: 4172)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6656)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7588)
      • BackgroundTransferHost.exe (PID: 7360)
      • BackgroundTransferHost.exe (PID: 7788)
      • BackgroundTransferHost.exe (PID: 8008)
      • BackgroundTransferHost.exe (PID: 7204)
      • notepad.exe (PID: 7264)
      • notepad.exe (PID: 7232)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6656)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7588)
      • slui.exe (PID: 3140)
      • slui.exe (PID: 4436)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7588)
      • powershell.exe (PID: 6044)
      • slui.exe (PID: 4436)

    • Manual execution by a user

      • notepad.exe (PID: 7264)
      • cmd.exe (PID: 7296)
      • notepad.exe (PID: 7232)
      • cmd.exe (PID: 7516)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7588)
      • zapret-debuger.exe (PID: 4172)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Checks supported languages

      • chcp.com (PID: 4008)
      • chcp.com (PID: 5304)
      • chcp.com (PID: 7432)
      • winws.exe (PID: 7792)
      • identity_helper.exe (PID: 4220)
      • zapret-debuger.exe (PID: 4172)
      • identity_helper.exe (PID: 7692)
      • chcp.com (PID: 6960)
      • chcp.com (PID: 3180)
      • chcp.com (PID: 7428)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 7436)

    • Disables trace logs

      • powershell.exe (PID: 6044)

    • Reads the computer name

      • winws.exe (PID: 7792)
      • identity_helper.exe (PID: 4220)
      • zapret-debuger.exe (PID: 4172)
      • identity_helper.exe (PID: 7692)
      • zapret-debuger.exe (PID: 7436)
      • winws.exe (PID: 8000)

    • Process checks computer location settings

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Reads the machine GUID from the registry

      • winws.exe (PID: 7792)
      • zapret-debuger.exe (PID: 4172)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 7436)

    • Create files in a temporary directory

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 4172)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 6728)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 6728)

    • Application launched itself

      • msedge.exe (PID: 7820)
      • msedge.exe (PID: 7936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:03:02 13:09:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: zapret-discord-youtube-1.6.2/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
96
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe rundll32.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe msedge.exe winws.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winws.exe no specs winws.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #XWORM zapret-debuger.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs zapret-debuger.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5068 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=136 --field-trial-handle=2368,i,17680073362756020792,4593972779334351052,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2536 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4896 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Users\admin\AppData\Local\Temp\winws.exe" C:\Users\admin\AppData\Local\Temp\winws.exewinws.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\winws.exe
c:\windows\system32\ntdll.dll
2140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=2368,i,17680073362756020792,4593972779334351052,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4988 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=2368,i,17680073362756020792,4593972779334351052,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
37 500
Read events
37 434
Write events
66
Delete events
0

Modification events

(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\zapret-discord-youtube-1.6.2.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
18
Suspicious files
366
Text files
96
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\quic_initial_www_google_com.binbinary
MD5:312526D39958D89B1F8AB67789AB985F
SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\tls_clienthello_www_google_com.binbinary
MD5:7AB7AD857C5B8794FBDF1091B494DC94
SHA256:E5938780152169F720383F80EABB309E9477369B83B5EC40CC137C397F862CDE
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\cygwin1.dllexecutable
MD5:A1C82ED072DC079DD7851F82D9AA7678
SHA256:103104A52E5293CE418944725DF19E2BF81AD9269B9A120D71D39028E821499B
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\list-discord.txttext
MD5:53C6FE42FF860FDFA8CFAFA9ACFA92FC
SHA256:F015C31EB1C5C13D235AA107B9E618F45AB3AFDEF623C5749BF18494937312A4
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\ipset-discord.txttext
MD5:347FEBFD859BF77A142C5AA396354B2E
SHA256:6D651044669F1285FCF3F9C9F2DB499AFBF3B201DB9677FAF9BB91186EDFE229
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\list-general.txttext
MD5:BF417BCAF5D7040C1B80B1B57EC07772
SHA256:DB86FFB24AFDC1FBA9F54C85E52528FEF8517CF05E205F233CD629551D4DF4A6
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\discord.battext
MD5:EBF82AEABAB4E1D541DD6103186B7FA2
SHA256:356D30EEBA3E1276FA40A49F3253B661519B18405FFF3068E124558AAB10FFD3
7588BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b0cfe50e-52d9-429d-b8d6-a38f16e6d04f.down_data
MD5:
SHA256:
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\general (МГТС).battext
MD5:2A5363D20832A82D6BD5EE7DB2ADBDF6
SHA256:7F25EEA3B79A0A712E52D927158A671A4A5511EC2C93AE75A89AF98E048DE1B8
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\check_updates.battext
MD5:967E28232B9259DD7E140AEEA9ED37B4
SHA256:4A1E8A52E43426C6A56E0188CCE383CFF76DC44C4347C8CD5C969AC333A5E180
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
83
DNS requests
73
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7492
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7588
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7492
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3180
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3008
backgroundTaskHost.exe
2.19.122.55:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2040
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1272
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.130
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.0
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
www.bing.com
  • 2.19.122.55
  • 2.19.122.59
  • 2.19.122.63
  • 2.19.122.4
  • 2.19.122.61
  • 2.19.122.5
  • 2.19.122.64
  • 2.19.122.60
  • 2.19.122.67
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.163
  • 104.126.37.145
  • 104.126.37.128
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4172
zapret-debuger.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/attachments/1345706178298249280/1345707592672083989/zapret-discord-youtube-1.6.2.zip