download:

/attachments/1345706178298249280/1345707592672083989/zapret-discord-youtube-1.6.2.zip

Full analysis: https://app.any.run/tasks/795b21e2-eb31-4da0-bd12-a5363e943621
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 02, 2025, 10:51:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
remote
xworm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

760E66113DC39211EF1776D0B156832F

SHA1:

B687F4314BC0AF95B67FE474E7D6D97E852440EA

SHA256:

3005389CD72A7CE236877FBA77447CB1417A8BB3B224EE94A79F6E4DA0C77880

SSDEEP:

49152:RabJ/3erPr/+uYwuRYfq6FBvna0+OYh9pphPdJKuExmCXwNJrMCaQrkTcNODj9qo:RWve3/xPYYva7h3z/Es3NWCvrkYw9V1j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 6656)

    • Adds path to the Windows Defender exclusion list

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 6728)

    • Changes powershell execution policy (Bypass)

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Changes the autorun value in the registry

      • zapret-debuger.exe (PID: 4172)

    • Create files in the Startup directory

      • zapret-debuger.exe (PID: 4172)

    • XWORM has been detected (SURICATA)

      • zapret-debuger.exe (PID: 4172)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 6656)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Application launched itself

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6652)
      • cmd.exe (PID: 7444)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6652)
      • cmd.exe (PID: 7444)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6148)
      • sc.exe (PID: 7576)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Hides command output

      • cmd.exe (PID: 7324)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7456)
      • cmd.exe (PID: 7324)
      • winws.exe (PID: 7792)
      • cmd.exe (PID: 8168)
      • winws.exe (PID: 8000)

    • Executable content was dropped or overwritten

      • winws.exe (PID: 7792)
      • zapret-debuger.exe (PID: 4172)

    • Reads security settings of Internet Explorer

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Reads the date of Windows installation

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Script adds exclusion path to Windows Defender

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Connects to unusual port

      • zapret-debuger.exe (PID: 4172)

    • Contacting a server suspected of hosting an CnC

      • zapret-debuger.exe (PID: 4172)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6656)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6656)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7360)
      • BackgroundTransferHost.exe (PID: 7588)
      • BackgroundTransferHost.exe (PID: 7788)
      • notepad.exe (PID: 7264)
      • BackgroundTransferHost.exe (PID: 7204)
      • BackgroundTransferHost.exe (PID: 8008)
      • notepad.exe (PID: 7232)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7588)
      • powershell.exe (PID: 6044)
      • slui.exe (PID: 4436)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7588)
      • zapret-debuger.exe (PID: 4172)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7588)
      • slui.exe (PID: 3140)
      • slui.exe (PID: 4436)

    • Manual execution by a user

      • cmd.exe (PID: 7296)
      • notepad.exe (PID: 7264)
      • notepad.exe (PID: 7232)
      • cmd.exe (PID: 7516)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7296)
      • cmd.exe (PID: 7516)

    • Checks supported languages

      • chcp.com (PID: 4008)
      • chcp.com (PID: 5304)
      • chcp.com (PID: 7432)
      • winws.exe (PID: 7792)
      • identity_helper.exe (PID: 4220)
      • zapret-debuger.exe (PID: 4172)
      • identity_helper.exe (PID: 7692)
      • chcp.com (PID: 3180)
      • chcp.com (PID: 6960)
      • chcp.com (PID: 7428)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 7436)

    • Disables trace logs

      • powershell.exe (PID: 6044)

    • Reads the computer name

      • winws.exe (PID: 7792)
      • identity_helper.exe (PID: 4220)
      • zapret-debuger.exe (PID: 4172)
      • identity_helper.exe (PID: 7692)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 7436)

    • Reads the machine GUID from the registry

      • winws.exe (PID: 7792)
      • zapret-debuger.exe (PID: 4172)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 7436)

    • Create files in a temporary directory

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)
      • zapret-debuger.exe (PID: 4172)

    • Application launched itself

      • msedge.exe (PID: 7820)
      • msedge.exe (PID: 7936)

    • Process checks computer location settings

      • winws.exe (PID: 7792)
      • winws.exe (PID: 8000)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 6728)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 6728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:03:02 13:09:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: zapret-discord-youtube-1.6.2/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
96
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe rundll32.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe msedge.exe winws.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winws.exe no specs winws.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #XWORM zapret-debuger.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs chcp.com no specs cmd.exe no specs powershell.exe no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs zapret-debuger.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5068 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=136 --field-trial-handle=2368,i,17680073362756020792,4593972779334351052,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2536 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4896 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Users\admin\AppData\Local\Temp\winws.exe" C:\Users\admin\AppData\Local\Temp\winws.exewinws.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\winws.exe
c:\windows\system32\ntdll.dll
2140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=2368,i,17680073362756020792,4593972779334351052,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4988 --field-trial-handle=2396,i,2337675850746611,9842102875813339593,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=2368,i,17680073362756020792,4593972779334351052,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
37 500
Read events
37 434
Write events
66
Delete events
0

Modification events

(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\zapret-discord-youtube-1.6.2.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
18
Suspicious files
366
Text files
96
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\quic_initial_www_google_com.binbinary
MD5:312526D39958D89B1F8AB67789AB985F
SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\check_updates.battext
MD5:967E28232B9259DD7E140AEEA9ED37B4
SHA256:4A1E8A52E43426C6A56E0188CCE383CFF76DC44C4347C8CD5C969AC333A5E180
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\WinDivert.dllexecutable
MD5:B2014D33EE645112D5DC16FE9D9FCBFF
SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\general (ALT).battext
MD5:B4103E2394E1FA4EF5AFE39F58560AEB
SHA256:2C6DCFEACB31B908A4A7EB67AB1F787F7FEB77E920AEC58C4830FB00E34B0D03
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\tls_clienthello_www_google_com.binbinary
MD5:7AB7AD857C5B8794FBDF1091B494DC94
SHA256:E5938780152169F720383F80EABB309E9477369B83B5EC40CC137C397F862CDE
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\discord.battext
MD5:EBF82AEABAB4E1D541DD6103186B7FA2
SHA256:356D30EEBA3E1276FA40A49F3253B661519B18405FFF3068E124558AAB10FFD3
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\general (ALT5).battext
MD5:4F6B46B8B60BACEFA78AA90A7B788CBB
SHA256:290C745EBFC1509D6F7206AFD798A8E77B7928C385B445BEAC99816D89452C19
7588BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b0cfe50e-52d9-429d-b8d6-a38f16e6d04f.down_data
MD5:
SHA256:
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\bin\winws.exeexecutable
MD5:9B9A307825D46F5D011E00D141CF4C27
SHA256:D1652B5491DA4CB1AAE5982B4AE5F176963BF06BA3B4FE9404F783AD63159CFA
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6656.1155\zapret-discord-youtube-1.6.2\general (ALT4).battext
MD5:23A14A9B766D996F8358320714FCD178
SHA256:EF95EFB9729E30796012633CA00EE80ABD85E4FF0ABBF3500B65FC1425FA688D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
83
DNS requests
73
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
3180
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9f25f54-9a54-4e31-91fd-7fd2ad4f4a2f?P1=1741211302&P2=404&P3=2&P4=iFCO6cNpMYlYvdr2bks8nryihgz6IVGD4QVB1%2bVRxVQZ8lcTpVMebkQa7sYpZ3ZcJlW28HkeziSXO2GZxnpbKQ%3d%3d
unknown
whitelisted
7588
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7492
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7492
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3008
backgroundTaskHost.exe
2.19.122.55:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2040
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1272
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.130
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.0
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
www.bing.com
  • 2.19.122.55
  • 2.19.122.59
  • 2.19.122.63
  • 2.19.122.4
  • 2.19.122.61
  • 2.19.122.5
  • 2.19.122.64
  • 2.19.122.60
  • 2.19.122.67
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.163
  • 104.126.37.145
  • 104.126.37.128
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4172
zapret-debuger.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/attachments/1345706178298249280/1345707592672083989/zapret-discord-youtube-1.6.2.zip