File name:

zapret-discord-youtube-1.5.1 (2).rar

Full analysis: https://app.any.run/tasks/8b68df5c-34c6-4c1f-a04d-a19585b9d703
Verdict: Malicious activity
Analysis date: November 03, 2024, 14:54:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
upx
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

CB5A1C7E8D7DC7FAAADB8567EB113D2E

SHA1:

C5C3F51F6F605E117D228DDEBA9E31B504588011

SHA256:

D29C32B71E9FC9724BE87729D6F8B296BF739465536430245D97D5549E770780

SSDEEP:

49152:1D2pC3Q/k0bvTtqsyTDWaxsJ/tfjnlcNw7hqnFTII6w8b+IWx8n/cYZrECWSBVcP:Rx3Q/k0dYT6axYhzIZnFkI6fHRcYZr/0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 4348)

    • Generic archive extractor

      • WinRAR.exe (PID: 4348)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 4348)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5700)
      • cmd.exe (PID: 6284)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 3648)

  • INFO

    • Changes the display of characters in the console

      • cmd.exe (PID: 5700)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 6284)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 3648)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4348)
      • cmd.exe (PID: 5700)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 864)

    • Manual execution by a user

      • cmd.exe (PID: 5700)
      • cmd.exe (PID: 6284)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 6412)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 6808)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4348)

    • Reads the computer name

      • winws.exe (PID: 5900)
      • winws.exe (PID: 1252)
      • winws.exe (PID: 3676)
      • winws.exe (PID: 7060)
      • winws.exe (PID: 6876)

    • Checks supported languages

      • winws.exe (PID: 5900)
      • chcp.com (PID: 7052)
      • chcp.com (PID: 7100)
      • winws.exe (PID: 1252)
      • chcp.com (PID: 6724)
      • winws.exe (PID: 3676)
      • chcp.com (PID: 1160)
      • chcp.com (PID: 3008)
      • chcp.com (PID: 4464)
      • winws.exe (PID: 7060)
      • chcp.com (PID: 4308)
      • winws.exe (PID: 6876)
      • chcp.com (PID: 1376)
      • chcp.com (PID: 1160)

    • UPX packer has been detected

      • winws.exe (PID: 5900)
      • winws.exe (PID: 1252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 373
UncompressedSize: 828
OperatingSystem: Win32
ArchivedFileName: general.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
187
Monitored processes
48
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs conhost.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs THREAT winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs THREAT winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs winws.exe no specs winws.exe no specs winws.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewinws.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\general (ALT).bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1048"C:\Users\admin\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-50100 --ipset="ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-l3=ipv4 --filter-tcp=443 --dpi-desync=syndataC:\Users\admin\Desktop\bin\winws.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\bin\winws.exe
c:\windows\system32\ntdll.dll
1156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1160chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1252"C:\Users\admin\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="C:\Users\admin\Desktop\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-50100 --ipset="ipset-discord.txt" --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-l3=ipv4 --filter-tcp=443 --dpi-desync=syndataC:\Users\admin\Desktop\bin\winws.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\bin\winws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\desktop\bin\cygwin1.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1376chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewinws.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 874
Read events
3 831
Write events
30
Delete events
13

Modification events

(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\zapret-discord-youtube-1.5.1 (2).rar
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:psize
Value:
80
(PID) Process:(4348) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:type
Value:
120
Executable files
4
Suspicious files
2
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
4348WinRAR.exeC:\Users\admin\Desktop\list-discord.txttext
MD5:B4ABCEA255C0B2F0EC20D04361F044E1
SHA256:F472D83D75552F8F9411D7DF7ADD9E60CC6E77F143FCD74FAFE37B8FE23B96B8
4348WinRAR.exeC:\Users\admin\Desktop\general.battext
MD5:96C6B973735AAA9345D11D573A5A8286
SHA256:4295D4AB95BDFE3E91A1A524B9C77DD0871583A871AAA42A3CA0A803EED7DC0E
4348WinRAR.exeC:\Users\admin\Desktop\bin\WinDivert.dllexecutable
MD5:B2014D33EE645112D5DC16FE9D9FCBFF
SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
4348WinRAR.exeC:\Users\admin\Desktop\ipset-discord.txttext
MD5:F11A824757BC67945A9BC8C633F34551
SHA256:C84C518DEAA169B90851C9EB4080888D387CBB9AE16095649E25C1BB6C6E2794
4348WinRAR.exeC:\Users\admin\Desktop\general (ALT5).battext
MD5:ACF0049A95529A1EC5EDE177F8905B4A
SHA256:C142145E2C4210B61E007EC893109CEFDF816A5EDA45E85414A9E64F2B04447E
4348WinRAR.exeC:\Users\admin\Desktop\general (ALT4).battext
MD5:8A7731DECEFCEF4EC7FA2A64151BB4CB
SHA256:692DDAA7CB183B3756DECFB9730BAB7EFAA90A2B53C2FA972794756F73F99D25
4348WinRAR.exeC:\Users\admin\Desktop\service_remove.battext
MD5:2C176F48E11777B556A2C54E90FC5BF4
SHA256:188DAA999B8FE8CE8F92042FDCD883BDA8FEF130C887964D02EE152E01336808
4348WinRAR.exeC:\Users\admin\Desktop\general (ALT3).battext
MD5:92501361059A9975E6BC7730B6558611
SHA256:CAD3F36AEA619F1FA8E605035573D7AC85279904EBC4AE573EACEBF62C97C595
4348WinRAR.exeC:\Users\admin\Desktop\service_install.battext
MD5:52AB1E931C1B1B0554BFCC3D58019702
SHA256:0BFF8313C7A0C9B0705CCF69186875D46C56944B0828883210E7ED2A8D797400
4348WinRAR.exeC:\Users\admin\Desktop\README.mdhtml
MD5:7A5ECC7B98B833DC6BF2097EDF4368D5
SHA256:88BD1DA67CA0706D1284BE2ACCFB08AF167D1FE8738FB359D81E5C559A3C5AB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
40
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6956
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6728
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6956
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1252
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
2.23.209.140:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1552
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1552
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4360
SearchApp.exe
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.150
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.189
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.184.206
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.67
whitelisted
th.bing.com
  • 2.23.209.149
  • 2.23.209.193
  • 2.23.209.179
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.189
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.150
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-discord-youtube-1.5.1 (2).rar