URL:

https://systemxinfo.github.io/zapret-discord

Full analysis: https://app.any.run/tasks/d52c94a5-d6ac-4807-8e0d-09ce6b600f54
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 24, 2026, 02:29:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
windivert-sys
mal-driver
arch-exec
arch-scr
arch-doc
salatstealer
stealer
susp-powershell
upx
golang
Indicators:
MD5:

80D156A0F1888A1227F23E36B07E85F2

SHA1:

A11AB414AB2DB660B1DA84D77E139EEC9021544B

SHA256:

D3C826A634EBA513204307980E34D863FFF72828FF96B02116F54D9DF0056E17

SSDEEP:

3:N8RWtR2MEjEd8R:2k/rEjEdW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Malicious driver has been detected

      • msedge.exe (PID: 684)
      • msedge.exe (PID: 7712)
      • WinRAR.exe (PID: 8280)

    • Detects Cygwin installation

      • WinRAR.exe (PID: 8280)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2396)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1108)

    • SALATSTEALER mutex has been found

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • SALATSTEALER has been detected (YARA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Stealers network behavior

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • SALATSTEALER has been detected (SURICATA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

  • SUSPICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1108)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1108)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2396)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2396)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 1108)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1108)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 1108)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 1108)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2396)

    • Application launched itself

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)

    • Multiple wallet extension IDs have been found

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 8280)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 7868)
      • identity_helper.exe (PID: 9060)
      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)
      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Reads Environment values

      • identity_helper.exe (PID: 7868)
      • identity_helper.exe (PID: 9060)

    • The sample compiled with english language support

      • msedge.exe (PID: 7712)
      • msedge.exe (PID: 684)
      • WinRAR.exe (PID: 8280)

    • Checks supported languages

      • identity_helper.exe (PID: 7868)
      • identity_helper.exe (PID: 9060)
      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)
      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7864)
      • notepad.exe (PID: 7792)
      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)
      • notepad.exe (PID: 7268)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 684)

    • Application launched itself

      • msedge.exe (PID: 684)
      • msedge.exe (PID: 8472)

    • Manual execution by a user

      • notepad.exe (PID: 7792)
      • cmd.exe (PID: 2396)
      • notepad.exe (PID: 7268)
      • notepad.exe (PID: 7864)

    • The executable file from the user directory is run by the Powershell process

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)

    • Reads the machine GUID from the registry

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)
      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)

    • Application based on Golang

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • There is functionality for taking screenshot (YARA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Found Base64 encoded file access via PowerShell (YARA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Process checks computer location settings

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 3120)

    • UPX packer has been detected

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Detects GO elliptic curve encryption (YARA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe (PID: 2436)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
42
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT msedge.exe msedge.exe no specs msedge.exe no specs THREAT msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs notepad.exe no specs notepad.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe no specs #SALATSTEALER helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe notepad.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
352"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=4876,i,6362859204837829716,12555008775746983975,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-features=HttpsUpgrades,HttpsFirstModeV2,HttpsOnlyMode,HttpsFirstBalancedMode --no-first-run --no-default-browser-check https://systemxinfo.github.io/zapret-discordC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1108powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-Command -ScriptBlock ([Scriptblock]::Create((Get-Content 'C:\Users\admin\Desktop\service.bat' | Select-Object -Skip 4 | Out-String)))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6360,i,11718475359054868513,13108044573983788225,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=7088,i,11718475359054868513,13108044573983788225,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=7124 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2396C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\service.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2436"C:\Users\admin\AppData\Local\Temp\helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe" C:\Users\admin\AppData\Local\Temp\helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
2828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3120"C:\Users\admin\AppData\Local\Temp\helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe" C:\Users\admin\AppData\Local\Temp\helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
4176"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=1508,i,11718475359054868513,13108044573983788225,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5888 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
Total events
8 252
Read events
8 233
Write events
19
Delete events
0

Modification events

(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\zapret-discord-youtube-1.9.8c.zip
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@C:\WINDOWS\System32\acppage.dll,-6002
Value:
Windows Batch File
(PID) Process:(8280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
6
Suspicious files
77
Text files
217
Unknown types
1

Dropped files

PID
Process
Filename
Type
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdfdb9.TMP
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdfdd9.TMP
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdfdd9.TMP
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFdfdd9.TMP
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFdfdd9.TMP
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
684msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
84
TCP/UDP connections
98
DNS requests
76
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7712
msedge.exe
GET
304
150.171.27.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
7712
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:OknoIPCXU5my5fldJ2IERYROiaZGEbyeN1idPXH25PM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
102 b
whitelisted
7712
msedge.exe
GET
302
140.82.121.4:443
https://github.com/enosenso/zapret-discord-youtube/releases/download/discordzapret/zapret-discord-youtube-1.9.8c.zip
US
whitelisted
7712
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
132 b
whitelisted
7712
msedge.exe
GET
200
52.123.243.210:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
text
8.00 Kb
whitelisted
7712
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
7712
msedge.exe
GET
200
150.171.109.194:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
7712
msedge.exe
GET
301
185.199.108.153:443
https://systemxinfo.github.io/zapret-discord
US
html
162 b
unknown
7712
msedge.exe
GET
200
185.199.108.153:443
https://systemxinfo.github.io/zapret-discord/
US
html
7.36 Kb
unknown
7712
msedge.exe
GET
404
185.199.108.153:443
https://systemxinfo.github.io/favicon.ico
US
html
8.90 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
3448
svchost.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7712
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7712
msedge.exe
52.123.243.210:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7712
msedge.exe
185.199.108.153:443
systemxinfo.github.io
FASTLY
US
whitelisted
7712
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7712
msedge.exe
150.171.109.194:443
api.edgeoffer.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 48.209.138.168
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.127.113
  • 142.251.127.138
  • 142.251.127.102
  • 142.251.127.101
  • 142.251.127.139
  • 142.251.127.100
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 52.123.243.210
  • 52.123.243.196
  • 52.123.243.71
  • 52.123.243.94
whitelisted
systemxinfo.github.io
  • 185.199.108.153
  • 185.199.111.153
  • 185.199.110.153
  • 185.199.109.153
unknown
api.edgeoffer.microsoft.com
  • 150.171.109.194
whitelisted
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.34
whitelisted
xpaywalletcdn.azureedge.net
  • 150.171.109.193
whitelisted

Threats

PID
Process
Class
Message
7712
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access release user assets on GitHub
3448
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
2232
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
2436
helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
2436
helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
2436
helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
A Network Trojan was detected
STEALER [ANY.RUN] Salatstealer TLS activity observed
2436
helper_8cf4579b-c591-4a33-90ef-f59703b37b9d.exe
A Network Trojan was detected
ET MALWARE Observed Salat Stealer Domain (salat .cn in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://systemxinfo.github.io/zapret-discord