File name:	zapret-win-bundle-master.zip
Full analysis:	https://app.any.run/tasks/b5338811-2955-45fa-9f3f-0c6a62324592
Verdict:	Malicious activity
Analysis date:	April 11, 2025, 09:19:59
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc windivert-sys mal-driver
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	9F9832283ECD6CEA26C9103E3C69DE9A
SHA1:	BC9AD741CC38F69AA2B29DE6D4E6931AAB15D8C3
SHA256:	8BD96E4A9481D589D230D609914904DD826DEC7F1A52A170414DA5CF17878F12
SSDEEP:	98304:IDEcglRB12KIVcB1xMwlsgecngos5qdkcjYcZ4v384bXyAFUasXCf8n9poYTo3Ny:5imTHgEiSsWX2FnmaClD2a

.xpi	\|	Mozilla Firefox browser extension (66.6)
.zip	\|	ZIP compressed archive (33.3)

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:04:07 08:01:32
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	zapret-win-bundle-master/


(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\zapret-win-bundle-master.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 0

PID	Process	Filename		Type
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\install_arm64.cmd		text
		MD5:541DED7120E3CEE2FAD8447EAAFE47AC	SHA256:3B5B8617A5A35EDD33574D291AC631E99B7386FC2D1DAF7A2D814C512F17D7B7
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\WinDivert64.sys		executable
		MD5:DEB29A3F3A032B99A8B95D70087C1840	SHA256:55CD5C827A28FC91448F2AD1AE629E3FC951F07726819AEB035969DFBF3712C9
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\.github\lockdown.yml		text
		MD5:45C803FE878A7E445B25AAC584F5C3A3	SHA256:1F4E0432B510CDA65C31855C9937D6924F90485FD1B969C195366DDC7A396C8E
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\arm64\ip2net.exe		executable
		MD5:D3C67EC6E4EBEDBB52C4A5560298DB94	SHA256:6AFEF4C74821F9D6F843BF031A0B9A0F3CBBEE22EB34B38E68F9C50EB5303AC0
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\.gitattributes		text
		MD5:2A64C1195F8A6102DBABDCC1C1DF1304	SHA256:F5A08A5102DFEE6955ABBB07B2A435537F126F1509D855B96A837E4BBA793F4F
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\files\fake\quic_initial_facebook_com.bin		binary
		MD5:FBED62E95D51EE56B8045E905E0945DF	SHA256:D6504305E15E6F63930D24CED9045001E345D3C1AEB56B1B4C329D51C7DEA274
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\common\fwtype.sh		text
		MD5:870DCC207C4808CC6934D204A1F2311A	SHA256:8A21E8F8FB1878BEF256A467540A9FAE42F9135201CBAD06C1118C1F2BF69B50
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\common\dialog.sh		text
		MD5:6FD5B6525DFDD5FDFF0A4919FD1A5105	SHA256:CCAF7F160B50060CA3A4044F43C30018C156636C3F4A8AD2E00E60518905A5E9
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\files\fake\dht_find_node.bin		binary
		MD5:B0AF2E09B3977DFE983B7B7DF50D04C3	SHA256:1F892E567BDD3DFC23E8DC86933B258A67262CB66CBF16BCC3CFA704DB604BA0
6872	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6872.5311\zapret-win-bundle-master.zip\zapret-win-bundle-master\blockcheck\zapret\files\fake\dtls_clienthello_w3_org.bin		binary
		MD5:E091D8E448CB76D8842CA22643E12B82	SHA256:5BACD8CB6BD451F2374E55BC066B632E3C88FB852E3A44F19E6246C04D127BE5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
5548	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5548	SIHClient.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5548	SIHClient.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5548	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5548	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
5548	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5548	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5548	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5548	SIHClient.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5548	SIHClient.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 2.16.164.49 2.16.164.106 2.16.164.18 2.16.164.72 2.16.164.51 2.16.164.120	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
login.live.com	20.190.159.129 20.190.159.64 20.190.159.130 40.126.31.129 20.190.159.2 40.126.31.3 20.190.159.4 40.126.31.67	whitelisted

General Info

zapret-win-bundle-master.zip

9F9832283ECD6CEA26C9103E3C69DE9A

BC9AD741CC38F69AA2B29DE6D4E6931AAB15D8C3

8BD96E4A9481D589D230D609914904DD826DEC7F1A52A170414DA5CF17878F12

98304:IDEcglRB12KIVcB1xMwlsgecngos5qdkcjYcZ4v384bXyAFUasXCf8n9poYTo3Ny:5imTHgEiSsWX2FnmaClD2a

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Starts NET.EXE for service management

Malicious driver has been detected

Detects Cygwin installation

SUSPICIOUS

Deletes scheduled task without confirmation

Starts CMD.EXE for commands execution

Application launched itself

Starts SC.EXE for service management

Windows service management via SC.EXE

Drops a system driver (possible attempt to evade defenses)

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

INFO

Manual execution by a user

The sample compiled with english language support

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Reads the software policy settings

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings