File name:

zapret-roblox.zip

Full analysis: https://app.any.run/tasks/79f7ede7-7a10-498d-9483-110e917826b3
Verdict: Malicious activity
Analysis date: January 28, 2026, 14:08:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
windivert-sys
mal-driver
arch-exec
arch-scr
arch-doc
github
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

ADC5216428595DD05511BFF9321B6685

SHA1:

C36F9255AA2821C148AF5F224BBB7453760FD32C

SHA256:

7A5CA25783228711D7AA1B7F58CD0B083578664ECE7A7BCE30B334D393D3ED0F

SSDEEP:

49152:WPaT6lOTcrYJBcGiSLZllbNsayp2lC5vJYGFsG3nzLjHpiL+iXmMZeNQymdeRk/l:MabTcrwjiaZl1ualCJyGFsGXzLzO+6ZP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 7208)

    • Malicious driver has been detected

      • WinRAR.exe (PID: 7208)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7208)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4300)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2016)
      • powershell.exe (PID: 908)
      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 2760)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4100)

    • Application launched itself

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 4200)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 4200)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 2016)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 4200)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8332)
      • cmd.exe (PID: 4200)

    • Starts process via Powershell

      • powershell.exe (PID: 908)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 908)

    • Hides command output

      • cmd.exe (PID: 2760)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4808)

  • INFO

    • Drops script file

      • WinRAR.exe (PID: 7208)
      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 8332)
      • cmd.exe (PID: 4200)
      • powershell.exe (PID: 908)
      • powershell.exe (PID: 7100)
      • powershell.exe (PID: 7044)

    • Checks supported languages

      • chcp.com (PID: 7788)
      • winws.exe (PID: 3040)
      • chcp.com (PID: 5888)
      • chcp.com (PID: 5524)
      • chcp.com (PID: 4688)
      • chcp.com (PID: 6804)
      • chcp.com (PID: 5528)
      • curl.exe (PID: 3088)

    • Manual execution by a user

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 8332)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2016)
      • cmd.exe (PID: 4200)

    • Disables trace logs

      • netsh.exe (PID: 6024)
      • netsh.exe (PID: 8712)

    • The sample was built using Cygwin

      • winws.exe (PID: 3040)

    • Reads the computer name

      • winws.exe (PID: 3040)
      • curl.exe (PID: 3088)

    • Create files in a temporary directory

      • curl.exe (PID: 3088)

    • Execution of CURL command

      • cmd.exe (PID: 4200)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 9024)
      • explorer.exe (PID: 4808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:12:30 15:34:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: bin/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
42
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start THREAT winrar.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs where.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs where.exe no specs where.exe no specs where.exe no specs where.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs find.exe no specs chcp.com no specs chcp.com no specs slui.exe no specs chcp.com no specs curl.exe findstr.exe no specs findstr.exe no specs powershell.exe no specs powershell.exe no specs notepad.exe no specs explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
492where find C:\Windows\System32\where.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Where - Lists location of files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\where.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
908powershell -Command "Start-Process 'cmd.exe' -ArgumentList '/c \"\"C:\Users\admin\Desktop\New folder\service.bat\" admin\"' -Verb RunAs"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700findstr /C:"104.25.158.178 finland10000.discord.media" "C:\WINDOWS\System32\drivers\etc\hosts" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1848"C:\Users\admin\Desktop\New folder\bin\winws.exe" --wf-tcp=80,443,2053,2083,2087,2096,8443,1024-65535 --wf-udp=443,19294-19344,50000-50100,1024-65535 --filter-udp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-fake-discord="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-fake-stun="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-repeats=6 --new --filter-tcp=2053,2083,2087,2096,8443 --hostlist-domains=discord.media --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-tcp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-google.txt" --ip-id=zero --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp=80,443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=443 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80,443,1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,sni=www.google.com --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=12 --dpi-desync-any-protocol=1 --dpi-desync-fake-unknown-udp="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff=n2C:\Users\admin\Desktop\New folder\bin\winws.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\new folder\bin\winws.exe
c:\windows\system32\ntdll.dll
2016C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\New folder\general (ALT10).bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2312findstr /C:"104.25.158.178 finland10199.discord.media" "C:\WINDOWS\System32\drivers\etc\hosts" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2760C:\WINDOWS\system32\cmd.exe /c type "C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" 2>nul | find /c /v ""C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3040"C:\Users\admin\Desktop\New folder\bin\winws.exe" --wf-tcp=80,443,2053,2083,2087,2096,8443,1024-65535 --wf-udp=443,19294-19344,50000-50100,1024-65535 --filter-udp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-fake-discord="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-fake-stun="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-repeats=6 --new --filter-tcp=2053,2083,2087,2096,8443 --hostlist-domains=discord.media --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-tcp=443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-google.txt" --ip-id=zero --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp=80,443 --hostlist="C:\Users\admin\Desktop\New folder\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=443 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80,443,1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\Desktop\New folder\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=ts --dpi-desync-fake-tls=! --dpi-desync-fake-tls-mod=rnd,sni=www.google.com --dpi-desync-fake-tls="C:\Users\admin\Desktop\New folder\bin\tls_clienthello_4pda_to.bin" --dpi-desync-fake-tls-mod=none --new --filter-udp=1024-65535 --ipset="C:\Users\admin\Desktop\New folder\lists\ipset-all.txt" --ipset-exclude="C:\Users\admin\Desktop\New folder\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-autottl=2 --dpi-desync-repeats=12 --dpi-desync-any-protocol=1 --dpi-desync-fake-unknown-udp="C:\Users\admin\Desktop\New folder\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff=n2C:\Users\admin\Desktop\New folder\bin\winws.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225786
Modules
Images
c:\users\admin\desktop\new folder\bin\winws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
3088curl -L -s -o "C:\Users\admin\AppData\Local\Temp\zapret_hosts.txt" "https://raw.githubusercontent.com/Lux1de/zapret-roblox/refs/heads/main/.service/hosts"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
3344where findstr C:\Windows\System32\where.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Where - Lists location of files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\where.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
2 238
Read events
2 227
Write events
11
Delete events
0

Modification events

(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\zapret-roblox.zip
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7208) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3040) winws.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:writeName:EventMessageFile
Value:
C:\Users\admin\Desktop\New folder\bin\WinDivert64.sys
(PID) Process:(3040) winws.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:writeName:TypesSupported
Value:
7
Executable files
0
Suspicious files
1
Text files
7
Unknown types
36

Dropped files

PID
Process
Filename
Type
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\tls_clienthello_4pda_to.binbinary
MD5:E6D649DE132C3C10CB62531EF74F5B73
SHA256:EEFEAF09DDE8D69B1F176212541F63C68B314A33A335ECED99A8A29F17254DA8
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\cygwin1.dllbinary
MD5:A1C82ED072DC079DD7851F82D9AA7678
SHA256:103104A52E5293CE418944725DF19E2BF81AD9269B9A120D71D39028E821499B
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\quic_initial_www_google_com.binbinary
MD5:312526D39958D89B1F8AB67789AB985F
SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\tls_clienthello_www_google_com.binbinary
MD5:41E47557F16690DF1781F67C8712714E
SHA256:F966351AE376963DFFBCB5B94256872649B9CDAAB8C5175025936FA50E07DC19
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\tls_clienthello_max_ru.binbinary
MD5:2C2F962B7AB31E5A0760027E1F14AC46
SHA256:E4A94CEC50B3C048EB988A513EE28191E4D7544DD5F98A9BF94F37EE02D2568E
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\WinDivert64.sysbinary
MD5:89ED5BE7EA83C01D0DE33D3519944AA5
SHA256:8DA085332782708D8767BCACE5327A6EC7283C17CFB85E40B03CD2323A90DDC2
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\bin\winws.exebinary
MD5:F94C4B0110FECCD6AECA48C93B278D8B
SHA256:31D68A175ABEBAB19F7F39BF6D0845EC5C18AB653EEEEA6EE830B22D799B7E55
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\lists\ipset-all.txt.backupbinary
MD5:5F0D5DDBB2C43802B0F8E6C5C3FC2E4F
SHA256:F2BFFC110DCDA73C98F9C8FF0EA14D0588B997744DF3E8F68DB397E3B7C38758
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\general (ALT).batbinary
MD5:13EFB6478CE796A894804EC296B9D04B
SHA256:AB60EC1BF1A2F9AFDAB0ACB53F821A98B88298ED9F3FBBA0B903A1C2AB31AFC2
7208WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7208.46883\general (ALT2).batbinary
MD5:B8424DE27A42629A1954ED279FB4BEBA
SHA256:D77C227CA34F1F31E4EAAC00D958E605B637162C0E2C87E7BBC796B3CF096890
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
37
DNS requests
22
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
8240
svchost.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop
US
whitelisted
1344
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
1344
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
1344
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
1344
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4280
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
8240
svchost.exe
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.66 Kb
whitelisted
4280
svchost.exe
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
US
binary
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8240
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2364
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.204.145:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
8240
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.16.204.145
  • 2.16.204.146
  • 2.16.204.151
  • 2.16.204.148
  • 2.16.204.150
  • 2.16.204.155
  • 2.16.204.149
  • 2.16.204.152
  • 2.16.204.153
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.131
  • 20.190.159.23
  • 40.126.31.130
  • 40.126.31.3
  • 40.126.31.128
  • 40.126.31.0
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-roblox.zip