File name:

zapret-roblox.zip

Full analysis: https://app.any.run/tasks/79f7ede7-7a10-498d-9483-110e917826b3
Verdict: Malicious activity
Analysis date: January 28, 2026, 14:08:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
windivert-sys
mal-driver
arch-exec
arch-scr
arch-doc
github
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

ADC5216428595DD05511BFF9321B6685

SHA1:

C36F9255AA2821C148AF5F224BBB7453760FD32C

SHA256:

7A5CA25783228711D7AA1B7F58CD0B083578664ECE7A7BCE30B334D393D3ED0F

SSDEEP:

49152:WPaT6lOTcrYJBcGiSLZllbNsayp2lC5vJYGFsG3nzLjHpiL+iXmMZeNQymdeRk/l:MabTcrwjiaZl1ualCJyGFsGXzLzO+6ZP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Malicious driver has been detected

      • WinRAR.exe (PID: 7208)

    • Detects Cygwin installation

      • WinRAR.exe (PID: 7208)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2016)
      • powershell.exe (PID: 908)
      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 2760)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7208)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4300)

    • Application launched itself

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 2760)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4100)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 4200)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 2016)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8332)
      • cmd.exe (PID: 4200)

    • Starts process via Powershell

      • powershell.exe (PID: 908)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 908)

    • Hides command output

      • cmd.exe (PID: 2760)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 2016)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4808)

  • INFO

    • Checks supported languages

      • chcp.com (PID: 7788)
      • chcp.com (PID: 5888)
      • chcp.com (PID: 5524)
      • chcp.com (PID: 4688)
      • chcp.com (PID: 6804)
      • chcp.com (PID: 5528)
      • curl.exe (PID: 3088)
      • winws.exe (PID: 3040)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 4200)

    • Drops script file

      • WinRAR.exe (PID: 7208)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 8332)
      • cmd.exe (PID: 4200)
      • powershell.exe (PID: 908)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 7044)

    • Manual execution by a user

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 8332)

    • Disables trace logs

      • netsh.exe (PID: 8712)
      • netsh.exe (PID: 6024)

    • Reads the computer name

      • winws.exe (PID: 3040)
      • curl.exe (PID: 3088)

    • The sample was built using Cygwin

      • winws.exe (PID: 3040)

    • Execution of CURL command

      • cmd.exe (PID: 4200)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 9024)
      • explorer.exe (PID: 4808)

    • Create files in a temporary directory

      • curl.exe (PID: 3088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:12:30 15:34:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: bin/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
42
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start THREAT winrar.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs where.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs where.exe no specs where.exe no specs where.exe no specs where.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs find.exe no specs chcp.com no specs chcp.com no specs slui.exe no specs chcp.com no specs curl.exe findstr.exe no specs findstr.exe no specs powershell.exe no specs powershell.exe no specs notepad.exe no specs explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
492where find C:\Windows\System32\where.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Where - Lists location of files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\where.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
908powershell -Command "Start-Process 'cmd.exe' -ArgumentList '/c \"\"C:\Users\admin\Desktop\New folder\service.bat\" admin\"' -Verb RunAs"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700findstr /C:"104.25.158.178 finland10000.discord.media" "C:\WINDOWS\System32\drivers\etc\hosts" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1848"C:\Users\admin\Desktop\New folder\bin\winws.exe" --wf-tcp=80,443,2053,2083,2087,2096,8443,1024-65535 --wf-udp=443,19294-19344,50000-50100,1024-65535 --filter-udp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-fake-discord="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-fake-stun="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-repeats=6 --new --filter-tcp=2053,2083,2087,2096,8443 --hostlist-domains=discord.media --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-tcp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-google.txt" --ip-id=zero --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp=80,443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=443 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80,443,1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,sni=www.google.com --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=12 --dpi-desync-any-protocol=1 --dpi-desync-fake-unknown-udp="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff=n2C:\Users\admin\Desktop\New folder\bin\winws.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\new folder\bin\winws.exe
c:\windows\system32\ntdll.dll
2016C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\New folder\general (ALT10).bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2312findstr /C:"104.25.158.178 finland10199.discord.media" "C:\WINDOWS\System32\drivers\etc\hosts" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2760C:\WINDOWS\system32\cmd.exe /c type "C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" 2>nul | find /c /v ""C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3040"C:\Users\admin\Desktop\New folder\bin\winws.exe" --wf-tcp=80,443,2053,2083,2087,2096,8443,1024-65535 --wf-udp=443,19294-19344,50000-50100,1024-65535 --filter-udp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-fake-discord="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-fake-stun="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-repeats=6 --new --filter-tcp=2053,2083,2087,2096,8443 --hostlist-domains=discord.media --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-tcp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-google.txt" --ip-id=zero --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp=80,443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=443 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80,443,1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,sni=www.google.com --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=12 --dpi-desync-any-protocol=1 --dpi-desync-fake-unknown-udp="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff=n2C:\Users\admin\Desktop\New folder\bin\winws.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225786
Modules
Images
c:\users\admin\desktop\new folder\bin\winws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
3088curl -L -s -o "C:\Users\admin\AppData\Local\Temp\zapret_hosts.txt" "https://raw.githubusercontent.com/Lux1de/zapret-roblox/refs/heads/main/.service/hosts"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
3344where findstr C:\Windows\System32\where.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Where - Lists location of files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\where.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
2 238
Read events
2 227
Write events
11
Delete events
0

Modification events

(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\zapret-roblox.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3040) winws.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:writeName:EventMessageFile
Value:
C:\Users\admin\Desktop\New folder\bin\WinDivert64.sys
(PID) Process:(3040) winws.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:writeName:TypesSupported
Value:
7
Executable files
0
Suspicious files
1
Text files
7
Unknown types
36

Dropped files

PID
Process
Filename
Type
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\lists\ipset-exclude.txtbinary
MD5:4069630CA8187612083190518057137C
SHA256:36159CA57996843462CCCEF23B576CB461DFAA8738E2AB01807DB5A6C1746725
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\lists\ipset-all.txt.backupbinary
MD5:5F0D5DDBB2C43802B0F8E6C5C3FC2E4F
SHA256:F2BFFC110DCDA73C98F9C8FF0EA14D0588B997744DF3E8F68DB397E3B7C38758
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\quic_initial_www_google_com.binbinary
MD5:312526D39958D89B1F8AB67789AB985F
SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\tls_clienthello_www_google_com.binbinary
MD5:41E47557F16690DF1781F67C8712714E
SHA256:F966351AE376963DFFBCB5B94256872649B9CDAAB8C5175025936FA50E07DC19
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\cygwin1.dllbinary
MD5:A1C82ED072DC079DD7851F82D9AA7678
SHA256:103104A52E5293CE418944725DF19E2BF81AD9269B9A120D71D39028E821499B
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\winws.exebinary
MD5:F94C4B0110FECCD6AECA48C93B278D8B
SHA256:31D68A175ABEBAB19F7F39BF6D0845EC5C18AB653EEEEA6EE830B22D799B7E55
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\WinDivert64.sysbinary
MD5:89ED5BE7EA83C01D0DE33D3519944AA5
SHA256:8DA085332782708D8767BCACE5327A6EC7283C17CFB85E40B03CD2323A90DDC2
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\WinDivert.dllbinary
MD5:B2014D33EE645112D5DC16FE9D9FCBFF
SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\general (ALT3).batbinary
MD5:DC4994FA7E9D3FC154A1214E82AC049C
SHA256:26CF029351D5A68096AF5E4C4A6891EAA5ED4559FDEFF1D720887061FD8F55D8
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\lists\list-google.txtbinary
MD5:863B39C2A54427FE700174D83F5F8221
SHA256:4BDBB90546F7BD56BAEDCDDFC1DAB25BED9C73893E8EDDB62C272A21C3E98EED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
37
DNS requests
22
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
8240
svchost.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop
unknown
whitelisted
1344
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
1344
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
1344
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
1344
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
4280
svchost.exe
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
binary
10.3 Kb
whitelisted
4280
svchost.exe
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
binary
10.2 Kb
whitelisted
4280
svchost.exe
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
binary
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8240
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2364
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.204.145:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
8240
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.16.204.145
  • 2.16.204.146
  • 2.16.204.151
  • 2.16.204.148
  • 2.16.204.150
  • 2.16.204.155
  • 2.16.204.149
  • 2.16.204.152
  • 2.16.204.153
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.131
  • 20.190.159.23
  • 40.126.31.130
  • 40.126.31.3
  • 40.126.31.128
  • 40.126.31.0
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-roblox.zip