File name:

zapret-win-bundle-master.zip

Full analysis: https://app.any.run/tasks/b5338811-2955-45fa-9f3f-0c6a62324592
Verdict: Malicious activity
Analysis date: April 11, 2025, 09:19:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
windivert-sys
mal-driver
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

9F9832283ECD6CEA26C9103E3C69DE9A

SHA1:

BC9AD741CC38F69AA2B29DE6D4E6931AAB15D8C3

SHA256:

8BD96E4A9481D589D230D609914904DD826DEC7F1A52A170414DA5CF17878F12

SSDEEP:

98304:IDEcglRB12KIVcB1xMwlsgecngos5qdkcjYcZ4v384bXyAFUasXCf8n9poYTo3Ny:5imTHgEiSsWX2FnmaClD2a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6872)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 4448)
      • net.exe (PID: 6264)

    • Malicious driver has been detected

      • WinRAR.exe (PID: 6872)

    • Detects Cygwin installation

      • WinRAR.exe (PID: 6872)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1196)
      • WinRAR.exe (PID: 6872)

    • Application launched itself

      • cmd.exe (PID: 1196)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 5116)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6872)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 6872)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 6872)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5864)
      • sc.exe (PID: 2552)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5728)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5056)
      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 5116)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 4620)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6872)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6872)

    • Reads the computer name

      • MpCmdRun.exe (PID: 6248)
      • MpCmdRun.exe (PID: 4528)

    • Checks proxy server information

      • slui.exe (PID: 3300)

    • Reads the software policy settings

      • slui.exe (PID: 3300)

    • Checks supported languages

      • MpCmdRun.exe (PID: 4528)
      • MpCmdRun.exe (PID: 6248)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 6248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:04:07 08:01:32
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: zapret-win-bundle-master/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
37
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT winrar.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
812schtasks /End /TN winws1C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\_CMD_ADMIN.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1196C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\blockcheck.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2344C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR6872.13708\Rar$Scan141446.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2552sc start winws1C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3300C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3888schtasks /Run /TN winws1C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4068C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\service_start.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
5 717
Read events
5 705
Write events
12
Delete events
0

Modification events

(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\zapret-win-bundle-master.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
0
Executable files
306
Suspicious files
380
Text files
155
Unknown types
0

Dropped files

PID
Process
Filename
Type
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\WinDivert64.sysexecutable
MD5:DEB29A3F3A032B99A8B95D70087C1840
SHA256:55CD5C827A28FC91448F2AD1AE629E3FC951F07726819AEB035969DFBF3712C9
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\install_arm64.cmdtext
MD5:541DED7120E3CEE2FAD8447EAAFE47AC
SHA256:3B5B8617A5A35EDD33574D291AC631E99B7386FC2D1DAF7A2D814C512F17D7B7
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\blog.shtext
MD5:47FCC2F9D199486B64E3F5C37E0B3920
SHA256:66F32FA4470CD63A4014DA8FA10AF11A25862F564E53016D1B790F82C2D83760
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\common\elevate.shtext
MD5:6A2F4103DC14704A6DB57A4468D8ACFE
SHA256:077DD6DFE7CBD686B84788260686D9D971546E67C7734A5E42F6B42AF0ADF886
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\ip2net.exeexecutable
MD5:D3C67EC6E4EBEDBB52C4A5560298DB94
SHA256:6AFEF4C74821F9D6F843BF031A0B9A0F3CBBEE22EB34B38E68F9C50EB5303AC0
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\mdig.exeexecutable
MD5:2C9AE45944AC7213D8F25043A8718940
SHA256:9634736F4627A5F8DDA140B694CE729C020B59D2159BF588141E3B78F3DE6C7A
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\.gitattributestext
MD5:2A64C1195F8A6102DBABDCC1C1DF1304
SHA256:F5A08A5102DFEE6955ABBB07B2A435537F126F1509D855B96A837E4BBA793F4F
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\blockcheck.shtext
MD5:1D4793171A5BEB6D5BB24AA06A167958
SHA256:BB38FAAB791E0B79697860E1A1BC8530F97B6C64E22A1B29E617F64E228710A9
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\common\base.shtext
MD5:B19FBE96B4CF5D817158C1DFC4D0EF5F
SHA256:34FE6C275DD4C6548717B35E1FE86E548003E9BED476D7FA49C836BFDAB715ED
6872WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\common\fwtype.shtext
MD5:870DCC207C4808CC6934D204A1F2311A
SHA256:8A21E8F8FB1878BEF256A467540A9FAE42F9135201CBAD06C1118C1F2BF69B50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
39
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
5548
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5548
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5548
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5548
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5548
SIHClient.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.72
  • 2.16.164.51
  • 2.16.164.120
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
login.live.com
  • 20.190.159.129
  • 20.190.159.64
  • 20.190.159.130
  • 40.126.31.129
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.4
  • 40.126.31.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-win-bundle-master.zip