File name:

zapret-discord-youtube-1.9.5.zip

Full analysis: https://app.any.run/tasks/0961f8b3-6086-42b9-8b9b-e417131cfeb1
Verdict: Malicious activity
Analysis date: February 07, 2026, 22:01:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
windivert-sys
mal-driver
arch-exec
arch-scr
arch-doc
github
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

A787DCD917F03071EB5290D71D52814C

SHA1:

F4E0A79B851D8D3AB9840E73C61AF5F053F8EAFE

SHA256:

CC2688BE2C49C201870CA04E2F433365219BFAF10467296A3E9398B7F21BCA56

SSDEEP:

49152:rvw/Cv8X9eQS0s7eWvRlefNYLw1yD1LE6tVz64qEu1KufrHNW3FzmUS74G6+hefu:U/e8teQzUJRlSNYLeyD1DhdqCirtW3FE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 7312)

    • Malicious driver has been detected

      • WinRAR.exe (PID: 7312)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1488)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 4292)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 5996)
      • cmd.exe (PID: 9092)
      • cmd.exe (PID: 7576)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4368)
      • sc.exe (PID: 492)
      • sc.exe (PID: 8828)
      • sc.exe (PID: 5440)
      • sc.exe (PID: 5868)
      • sc.exe (PID: 4804)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1488)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 4292)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 5996)
      • cmd.exe (PID: 9092)
      • cmd.exe (PID: 7576)

    • Application launched itself

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1488)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 4292)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 5996)
      • cmd.exe (PID: 9092)
      • cmd.exe (PID: 7576)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5464)
      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 8416)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 1492)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 9092)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5464)
      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 8416)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 1492)
      • cmd.exe (PID: 9168)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 9092)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 8792)
      • cmd.exe (PID: 7228)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 524)
      • cmd.exe (PID: 664)

    • Hides command output

      • cmd.exe (PID: 8792)
      • cmd.exe (PID: 7228)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 524)
      • cmd.exe (PID: 664)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8792)
      • cmd.exe (PID: 7228)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 524)
      • cmd.exe (PID: 664)

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 7312)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7312)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8672)

  • INFO

    • Drops script file

      • WinRAR.exe (PID: 7312)
      • cmd.exe (PID: 7748)
      • powershell.exe (PID: 8988)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1488)
      • cmd.exe (PID: 1512)
      • powershell.exe (PID: 6724)
      • cmd.exe (PID: 4292)
      • powershell.exe (PID: 8520)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 7728)
      • powershell.exe (PID: 7780)
      • powershell.exe (PID: 8672)
      • cmd.exe (PID: 8268)
      • powershell.exe (PID: 7244)
      • cmd.exe (PID: 5996)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 9092)
      • powershell.exe (PID: 6348)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7312)

    • Manual execution by a user

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 8228)
      • winws.exe (PID: 3624)
      • winws.exe (PID: 6904)
      • powershell.exe (PID: 8672)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 9092)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7312)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 1488)
      • cmd.exe (PID: 1512)
      • cmd.exe (PID: 4292)
      • cmd.exe (PID: 8228)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 8268)
      • cmd.exe (PID: 5996)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 9092)

    • Checks supported languages

      • chcp.com (PID: 8324)
      • chcp.com (PID: 5628)
      • chcp.com (PID: 7972)
      • winws.exe (PID: 6272)
      • chcp.com (PID: 2264)
      • winws.exe (PID: 4044)
      • chcp.com (PID: 8564)
      • chcp.com (PID: 7240)
      • chcp.com (PID: 4040)
      • chcp.com (PID: 6908)
      • chcp.com (PID: 2096)
      • chcp.com (PID: 8936)
      • winws.exe (PID: 8624)
      • chcp.com (PID: 6416)
      • chcp.com (PID: 9076)
      • winws.exe (PID: 6788)
      • winws.exe (PID: 6904)
      • chcp.com (PID: 7904)
      • winws.exe (PID: 5088)
      • chcp.com (PID: 6084)
      • chcp.com (PID: 2352)
      • chcp.com (PID: 6496)
      • winws.exe (PID: 5168)
      • chcp.com (PID: 7664)
      • chcp.com (PID: 756)

    • Disables trace logs

      • netsh.exe (PID: 7964)
      • netsh.exe (PID: 6432)
      • powershell.exe (PID: 8988)
      • netsh.exe (PID: 7608)
      • netsh.exe (PID: 8796)
      • netsh.exe (PID: 3652)
      • netsh.exe (PID: 4828)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 8520)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 6992)
      • powershell.exe (PID: 7780)
      • netsh.exe (PID: 7540)
      • netsh.exe (PID: 8696)
      • netsh.exe (PID: 8748)
      • netsh.exe (PID: 6796)
      • powershell.exe (PID: 7244)
      • powershell.exe (PID: 6348)

    • Reads the computer name

      • winws.exe (PID: 6272)
      • winws.exe (PID: 4044)
      • winws.exe (PID: 8624)
      • winws.exe (PID: 6904)
      • winws.exe (PID: 6788)
      • winws.exe (PID: 5088)
      • winws.exe (PID: 5168)

    • The sample was built using Cygwin

      • winws.exe (PID: 6272)
      • winws.exe (PID: 4044)
      • winws.exe (PID: 8624)
      • winws.exe (PID: 6788)
      • winws.exe (PID: 6904)
      • winws.exe (PID: 5088)
      • winws.exe (PID: 5168)

    • Checks proxy server information

      • powershell.exe (PID: 8988)
      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 8520)
      • powershell.exe (PID: 7780)
      • powershell.exe (PID: 7244)
      • powershell.exe (PID: 6348)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7312)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2026:02:05 14:32:40
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: bin/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
273
Monitored processes
121
Malicious processes
7
Suspicious processes
6

Behavior graph

Click at the process to see the details
start THREAT winrar.exe cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs winws.exe no specs powershell.exe winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs winws.exe no specs powershell.exe winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs winws.exe no specs cmd.exe no specs powershell.exe winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs winws.exe no specs powershell.exe winws.exe no specs winws.exe conhost.exe no specs winws.exe no specs winws.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs winws.exe no specs powershell.exe winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs sc.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs winws.exe no specs powershell.exe winws.exe no specs winws.exe conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148C:\WINDOWS\system32\cmd.exe /c powershell -NoProfile -Command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -UseBasicParsing -TimeoutSec 5).Content.Trim()" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
412C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewinws.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
492sc query "zapret" C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
524C:\WINDOWS\system32\cmd.exe /c powershell -NoProfile -Command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -UseBasicParsing -TimeoutSec 5).Content.Trim()" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
664C:\WINDOWS\system32\cmd.exe /c powershell -NoProfile -Command "(Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/Flowseal/zapret-discord-youtube/main/.service/version.txt\" -Headers @{\"Cache-Control\"=\"no-cache\"} -UseBasicParsing -TimeoutSec 5).Content.Trim()" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
756chcp 437 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1084"C:\Users\admin\zapret-discord-youtube-1.9.5\bin\winws.exe" --wf-tcp=80,443,2053,2083,2087,2096,8443,12 --wf-udp=443,19294-19344,50000-50100,12 --filter-udp=443 --hostlist="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.bin" --new --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-repeats=6 --new --filter-tcp=2053,2083,2087,2096,8443 --hostlist-domains=discord.media --dpi-desync=fake --dpi-desync-fake-tls-mod=none --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-badseq-increment=2 --new --filter-tcp=443 --hostlist="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-google.txt" --ip-id=zero --dpi-desync=fake --dpi-desync-fake-tls-mod=none --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-badseq-increment=2 --new --filter-tcp=80,443 --hostlist="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-fake-tls-mod=none --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-badseq-increment=2 --new --filter-udp=443 --ipset="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80,443,12 --ipset="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-fake-tls-mod=none --dpi-desync-repeats=6 --dpi-desync-fooling=badseq --dpi-desync-badseq-increment=2 --new --filter-udp=12 --ipset="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-all.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=12 --dpi-desync-any-protocol=1 --dpi-desync-fake-unknown-udp="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff=n2C:\Users\admin\zapret-discord-youtube-1.9.5\bin\winws.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\zapret-discord-youtube-1.9.5\bin\winws.exe
c:\windows\system32\ntdll.dll
1156C:\WINDOWS\system32\cmd.exe /c sc query "zapret" | findstr /i "STATE"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1212"C:\Users\admin\zapret-discord-youtube-1.9.5\bin\winws.exe" --wf-tcp=80,443,2053,2083,2087,2096,8443,12 --wf-udp=443,19294-19344,50000-50100,12 --filter-udp=443 --hostlist="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.bin" --new --filter-udp=19294-19344,50000-50100 --filter-l7=discord,stun --dpi-desync=fake --dpi-desync-repeats=6 --new --filter-tcp=2053,2083,2087,2096,8443 --hostlist-domains=discord.media --dpi-desync=multisplit --dpi-desync-split-seqovl=681 --dpi-desync-split-pos=1 --dpi-desync-split-seqovl-pattern="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp=443 --hostlist="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-google.txt" --ip-id=zero --dpi-desync=multisplit --dpi-desync-split-seqovl=681 --dpi-desync-split-pos=1 --dpi-desync-split-seqovl-pattern="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp=80,443 --hostlist="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-general.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=681 --dpi-desync-split-pos=1 --dpi-desync-split-seqovl-pattern="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\tls_clienthello_www_google_com.bin" --new --filter-udp=443 --ipset="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80,443,12 --ipset="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-all.txt" --hostlist-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\list-exclude.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=681 --dpi-desync-split-pos=1 --dpi-desync-split-seqovl-pattern="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\tls_clienthello_www_google_com.bin" --new --filter-udp=12 --ipset="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-all.txt" --ipset-exclude="C:\Users\admin\zapret-discord-youtube-1.9.5\lists\ipset-exclude.txt" --dpi-desync=fake --dpi-desync-repeats=12 --dpi-desync-any-protocol=1 --dpi-desync-fake-unknown-udp="C:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff=n2C:\Users\admin\zapret-discord-youtube-1.9.5\bin\winws.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\zapret-discord-youtube-1.9.5\bin\winws.exe
c:\windows\system32\ntdll.dll
Total events
42 419
Read events
42 386
Write events
20
Delete events
13

Modification events

(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\zapret-discord-youtube-1.9.5.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
4
Suspicious files
8
Text files
43
Unknown types
0

Dropped files

PID
Process
Filename
Type
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\general (ALT11).battext
MD5:4FF67A0368D08639424326621A8976B6
SHA256:E71E97066CE97FCFF1B257864CF9E88B6BC3AAED447140181D92A34E96806472
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\bin\WinDivert64.sysexecutable
MD5:89ED5BE7EA83C01D0DE33D3519944AA5
SHA256:8DA085332782708D8767BCACE5327A6EC7283C17CFB85E40B03CD2323A90DDC2
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\bin\quic_initial_www_google_com.binbinary
MD5:312526D39958D89B1F8AB67789AB985F
SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\bin\cygwin1.dllexecutable
MD5:A1C82ED072DC079DD7851F82D9AA7678
SHA256:103104A52E5293CE418944725DF19E2BF81AD9269B9A120D71D39028E821499B
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\bin\tls_clienthello_max_ru.binbinary
MD5:B2B3E684CE449B60F0BC5A9028221A08
SHA256:4EE0870ABE0A0128600B0095189987BA1D210DAE8BF963BC725AFF49CF922624
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\bin\winws.exeexecutable
MD5:D498E19BC7A79DD1EFCB6B928CBE9909
SHA256:AFFB4F69D2EA302A7ABCCD5325D81826E140DDAE014F1E070BC4A6C0DD555188
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\bin\WinDivert.dllexecutable
MD5:B2014D33EE645112D5DC16FE9D9FCBFF
SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\general (ALT).battext
MD5:B088C77FF2C98E7F38DA653598EBCA55
SHA256:E6EBEAD32C996D7859C5C013EF8B6697F34205BB2D30A8918CD27B107873AB8B
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\general (ALT4).battext
MD5:D2071D33A112E4F50CA895AE5538E3CE
SHA256:0CD7B9BFC124FDC8BE4E1990F9A7019DDB457D0D60140150AF18E59932E5C621
7312WinRAR.exeC:\Users\admin\zapret-discord-youtube-1.9.5\general (ALT6).battext
MD5:33757D6695C7CFAE21DA5026EF4B7ABA
SHA256:B68F58059E10CAEC205AB3F83F9AC97D6DF57914F0CD5397F138B4D3030F4E98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
36
DNS requests
20
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4
System
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
1324
svchost.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
8368
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
8368
SIHClient.exe
GET
200
74.179.77.164:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
8368
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
8368
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
unknown
whitelisted
356
svchost.exe
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
356
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7004
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.205:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5568
SearchApp.exe
2.16.241.205:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.16.241.205
  • 2.16.241.218
  • 2.16.241.201
whitelisted
th.bing.com
  • 2.16.241.205
  • 2.16.241.201
  • 2.16.241.218
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 216.58.206.46
whitelisted
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.71
  • 40.126.31.71
  • 40.126.31.3
  • 20.190.159.73
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted

Threats

PID
Process
Class
Message
1324
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
8988
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6724
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8520
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7780
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7244
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6348
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-discord-youtube-1.9.5.zip