File name:

zapret-discord-youtube-1.9.0b.rar

Full analysis: https://app.any.run/tasks/359c667f-fbf6-454b-a813-567ca2f03869
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 06, 2026, 00:22:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
windivert-sys
mal-driver
arch-exec
arch-doc
evasion
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

33F79F498479445FDD58382A2B52AD16

SHA1:

4EC932339E9EE280BA85B5DEF484498B2958FDCD

SHA256:

EA75ED935B605D705DF22FF977C8BC0122A4274A40E132B919876EDF10870BD9

SSDEEP:

49152:Zb4FMyNCQMf5udb/DNj7Ze9rm45sDC69wDe1fwTCFvppsBS9VWIwQtkcTa8ZM1MC:Zb4utV58b/Jj789rv5D6uDefjFvppr9E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Malicious driver has been detected

      • WinRAR.exe (PID: 7376)

    • Detects Cygwin installation

      • WinRAR.exe (PID: 7376)

    • Starts NET.EXE for service management

      • net.exe (PID: 6628)
      • cmd.exe (PID: 2872)

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 6792)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5200)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 5544)
      • WinRAR.exe (PID: 7376)
      • cmd.exe (PID: 2872)

    • Starts process via Powershell

      • powershell.exe (PID: 5544)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3132)
      • cmd.exe (PID: 3404)
      • cmd.exe (PID: 2872)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 7376)
      • powershell.exe (PID: 5544)
      • cmd.exe (PID: 2872)
      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 4120)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7376)

    • Application launched itself

      • cmd.exe (PID: 2872)
      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 4120)
      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 8344)

    • Hides command output

      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 4924)
      • cmd.exe (PID: 4120)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2872)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 2872)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2872)

    • Windows service management via SC.EXE

      • sc.exe (PID: 132)
      • sc.exe (PID: 7640)
      • sc.exe (PID: 3796)

    • Creates a new Windows service

      • sc.exe (PID: 8684)

    • Executes as Windows Service

      • winws.exe (PID: 552)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2872)

    • Creates or modifies Windows services

      • reg.exe (PID: 3172)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 8344)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Searches for installed software

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Potential Corporate Privacy Violation

      • CCleaner64.exe (PID: 8344)

    • Checks for external IP

      • CCleaner64.exe (PID: 8344)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 6792)
      • CCleaner64.exe (PID: 8344)

    • Starts application from unusual location

      • CCleaner64.exe (PID: 8344)

    • Possible stealing of VPN data

      • CCleaner64.exe (PID: 6792)
      • CCleaner64.exe (PID: 8344)

  • INFO

    • Changes the display of characters in the console

      • cmd.exe (PID: 3132)
      • cmd.exe (PID: 3404)
      • cmd.exe (PID: 2872)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7376)

    • Manual execution by a user

      • cmd.exe (PID: 5200)
      • CCleaner64.exe (PID: 1128)
      • msedge.exe (PID: 2368)
      • firefox.exe (PID: 5680)

    • Checks supported languages

      • chcp.com (PID: 6300)
      • chcp.com (PID: 4952)
      • chcp.com (PID: 6000)
      • chcp.com (PID: 1388)
      • chcp.com (PID: 4352)
      • winws.exe (PID: 552)
      • chcp.com (PID: 7088)
      • chcp.com (PID: 1600)
      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)
      • identity_helper.exe (PID: 7156)
      • identity_helper.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7376)
      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7376)
      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Disables trace logs

      • netsh.exe (PID: 6416)
      • netsh.exe (PID: 6880)

    • Reads the computer name

      • winws.exe (PID: 552)
      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)
      • identity_helper.exe (PID: 7156)
      • identity_helper.exe (PID: 4120)

    • Checks proxy server information

      • slui.exe (PID: 7728)
      • CCleaner64.exe (PID: 8344)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 8344)

    • Reads Environment values

      • CCleaner64.exe (PID: 1128)
      • CCleaner64.exe (PID: 6792)
      • CCleaner64.exe (PID: 8344)
      • identity_helper.exe (PID: 7156)
      • identity_helper.exe (PID: 4120)

    • Reads the machine GUID from the registry

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Reads CPU info

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Reads product name

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Creates files or folders in the user directory

      • CCleaner64.exe (PID: 8344)

    • Launching a file from a Registry key

      • CCleaner64.exe (PID: 6792)

    • Detects AutoHotkey samples (YARA)

      • CCleaner64.exe (PID: 8344)
      • CCleaner64.exe (PID: 6792)

    • Application launched itself

      • msedge.exe (PID: 2368)
      • firefox.exe (PID: 5040)
      • firefox.exe (PID: 5680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 606
UncompressedSize: 2415
OperatingSystem: Win32
ArchivedFileName: general (ALT10).bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
328
Monitored processes
169
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start THREAT winrar.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs slui.exe cmd.exe conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs find.exe no specs findstr.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs netsh.exe no specs findstr.exe no specs findstr.exe no specs netsh.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs winws.exe no specs reg.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs find.exe no specs findstr.exe no specs chcp.com no specs ccleaner64.exe no specs ccleaner64.exe ccleaner64.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132sc delete zapret C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
492C:\WINDOWS\system32\cmd.exe /S /D /c" echo %LISTS%ipset-exclude.txt "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
552"C:\Users\admin\Desktop\77\bin\winws.exe" --wf-tcp 80,443,2053,2083,2087,2096,8443,12 --wf-udp 443,19294-19344,50000-50100,12 --filter-udp 443 --hostlist "C:\Users\admin\Desktop\77\lists\list-general.txt" --hostlist-exclude "C:\Users\admin\Desktop\77\lists\list-exclude.txt" --ipset-exclude "C:\Users\admin\Desktop\77\lists\ipset-exclude.txt" --dpi-desync fake --dpi-desync-repeats 6 --dpi-desync-fake-quic "C:\Users\admin\Desktop\77\bin\quic_initial_www_google_com.bin" --new --filter-udp 19294-19344,50000-50100 --filter-l7 discord,stun --dpi-desync fake --dpi-desync-repeats 6 --new --filter-tcp 2053,2083,2087,2096,8443 --hostlist-domains discord.media --dpi-desync fake,fakedsplit --dpi-desync-repeats 6 --dpi-desync-fooling ts --dpi-desync-fakedsplit-pattern 0x00 --dpi-desync-fake-tls "C:\Users\admin\Desktop\77\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp 443 --hostlist "C:\Users\admin\Desktop\77\lists\list-google.txt" --ip-id zero --dpi-desync fake,fakedsplit --dpi-desync-repeats 6 --dpi-desync-fooling ts --dpi-desync-fakedsplit-pattern 0x00 --dpi-desync-fake-tls "C:\Users\admin\Desktop\77\bin\tls_clienthello_www_google_com.bin" --new --filter-tcp 80,443 --hostlist "C:\Users\admin\Desktop\77\lists\list-general.txt" --hostlist-exclude "C:\Users\admin\Desktop\77\lists\list-exclude.txt" --ipset-exclude "C:\Users\admin\Desktop\77\lists\ipset-exclude.txt" --dpi-desync fake,fakedsplit --dpi-desync-repeats 6 --dpi-desync-fooling ts --dpi-desync-fakedsplit-pattern 0x00 --dpi-desync-fake-tls "C:\Users\admin\Desktop\77\bin\tls_clienthello_www_google_com.bin" --new --filter-udp 443 --ipset "C:\Users\admin\Desktop\77\lists\ipset-all.txt" --hostlist-exclude "C:\Users\admin\Desktop\77\lists\list-exclude.txt" --ipset-exclude "C:\Users\admin\Desktop\77\lists\ipset-exclude.txt" --dpi-desync fake --dpi-desync-repeats 6 --dpi-desync-fake-quic "C:\Users\admin\Desktop\77\bin\quic_initial_www_google_com.bin" --new --filter-tcp 80,443,12 --ipset "C:\Users\admin\Desktop\77\lists\ipset-all.txt" --hostlist-exclude "C:\Users\admin\Desktop\77\lists\list-exclude.txt" --ipset-exclude "C:\Users\admin\Desktop\77\lists\ipset-exclude.txt" --dpi-desync fake,fakedsplit --dpi-desync-repeats 6 --dpi-desync-fooling ts --dpi-desync-fakedsplit-pattern 0x00 --dpi-desync-fake-tls "C:\Users\admin\Desktop\77\bin\tls_clienthello_www_google_com.bin" --new --filter-udp 12 --ipset "C:\Users\admin\Desktop\77\lists\ipset-all.txt" --ipset-exclude "C:\Users\admin\Desktop\77\lists\ipset-exclude.txt" --dpi-desync fake --dpi-desync-autottl 2 --dpi-desync-repeats 12 --dpi-desync-any-protocol 1 --dpi-desync-fake-unknown-udp "C:\Users\admin\Desktop\77\bin\quic_initial_www_google_com.bin" --dpi-desync-cutoff n3C:\Users\admin\Desktop\77\bin\winws.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\users\admin\desktop\77\bin\winws.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files\CCleaner\CCleaner64.exe" C:\Program Files\CCleaner\CCleaner64.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1188findstr /i "winws.exe" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1352C:\WINDOWS\system32\cmd.exe /S /D /c" echo %LISTS%list-general.txt "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1388chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1428findstr /i "winws.exe" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1488C:\WINDOWS\system32\cmd.exe /S /D /c" echo %BIN%tls_clienthello_www_google_com.bin "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
40 677
Read events
40 457
Write events
142
Delete events
78

Modification events

(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\zapret-discord-youtube-1.9.0b.rar
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(7376) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
Executable files
36
Suspicious files
590
Text files
392
Unknown types
1

Dropped files

PID
Process
Filename
Type
7376WinRAR.exeC:\Users\admin\Desktop\77\bin\quic_initial_www_google_com.binbinary
MD5:312526D39958D89B1F8AB67789AB985F
SHA256:F4589C57749F956BB30538197A521D7005F8B0A8723B4707E72405E51DDAC50A
7376WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7376.22893\general (ALT8).battext
MD5:9DF643A46B4CB69CC926035B7C012F4C
SHA256:83321EF1B714267AE8AEE99F4E4B0EC3A0FA3AA53E1C94A7A169918B99767566
7376WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7376.22879\general (FAKE TLS AUTO ALT).battext
MD5:2CC05A727F31AFDF6127547EA606BF0E
SHA256:B8FE3B554155B4CFF1D625FFCD2C79ADD3EA73E11741D92E289AE7BA5F494984
7376WinRAR.exeC:\Users\admin\Desktop\77\bin\cygwin1.dllexecutable
MD5:A1C82ED072DC079DD7851F82D9AA7678
SHA256:103104A52E5293CE418944725DF19E2BF81AD9269B9A120D71D39028E821499B
7376WinRAR.exeC:\Users\admin\Desktop\77\bin\tls_clienthello_www_google_com.binbinary
MD5:41E47557F16690DF1781F67C8712714E
SHA256:F966351AE376963DFFBCB5B94256872649B9CDAAB8C5175025936FA50E07DC19
7376WinRAR.exeC:\Users\admin\Desktop\77\general (ALT10).battext
MD5:666394850863BC1DCE5FA24A49A9D3EA
SHA256:652207A70A993EBCF02FD2463F5E9593AC593FFB75D84EC4B8871CF8D84033C1
7376WinRAR.exeC:\Users\admin\Desktop\77\bin\WinDivert.dllexecutable
MD5:B2014D33EE645112D5DC16FE9D9FCBFF
SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
7376WinRAR.exeC:\Users\admin\Desktop\77\general (FAKE TLS AUTO ALT2).battext
MD5:BD80CFF8B83F850512CD7B53B9A78EE6
SHA256:3D03890FEDDB2E0E854FB0656404519590CECF9B037AA50ED2BF9634E236658C
7376WinRAR.exeC:\Users\admin\Desktop\77\bin\tls_clienthello_4pda_to.binbinary
MD5:E6D649DE132C3C10CB62531EF74F5B73
SHA256:EEFEAF09DDE8D69B1F176212541F63C68B314A33A335ECED99A8A29F17254DA8
7376WinRAR.exeC:\Users\admin\Desktop\77\bin\WinDivert64.sysexecutable
MD5:89ED5BE7EA83C01D0DE33D3519944AA5
SHA256:8DA085332782708D8767BCACE5327A6EC7283C17CFB85E40B03CD2323A90DDC2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
459
TCP/UDP connections
177
DNS requests
212
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
3004
svchost.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
313 b
whitelisted
356
svchost.exe
POST
400
40.126.32.76:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
356
svchost.exe
POST
400
40.126.32.76:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
1868
SIHClient.exe
GET
304
74.179.77.204:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
356
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
US
binary
471 b
whitelisted
1868
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
1868
SIHClient.exe
GET
200
74.179.77.204:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
4256
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
2.16.204.141:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.66.2.5:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
356
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.42.73.30
  • 13.69.239.72
whitelisted
www.bing.com
  • 2.16.204.141
  • 2.16.204.161
  • 184.86.251.22
  • 184.86.251.27
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
  • 2.17.190.73
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 172.217.168.78
  • 172.217.16.174
  • 142.250.203.206
  • 2a00:1450:4016:804::200e
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.17
  • 20.190.160.132
  • 20.190.160.3
  • 20.190.160.2
  • 40.126.32.68
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 184.24.77.35
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 88.221.169.152
  • 23.59.18.102
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
8344
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
8344
CCleaner64.exe
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Process
Message
CCleaner64.exe
[2026-03-06 00:25:09.603] [error ] [settings ] [ 8344: 7760] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2026-03-06 00:25:09.603] [error ] [ini_access ] [ 8344: 7760] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2026-03-06 00:25:09.978] [error ] [settings ] [ 8344: 8264] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2026-03-06 00:25:09.994] [error ] [Burger ] [ 8344: 8264] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2026-03-06 00:25:09.994] [error ] [Burger ] [ 8344: 8264] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
startCheckingLicense()
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-discord-youtube-1.9.0b.rar