File name:

Bootstrapper-Roblox.msi

Full analysis: https://app.any.run/tasks/c3a7f50f-76d3-4e24-bfdd-b18aebaffcb1
Verdict: Malicious activity
Analysis date: March 19, 2026, 20:28:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
susp-powershell
etherhiding
evasion
anti-evasion
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: unpack-basic-3.2-x64, Author: Microsoft Update, Keywords: Installer, Comments: unpack-basic-3.2-x64, Template: Intel;1033, Revision Number: {C1426EAC-4515-4DB8-9944-4E5F934A75E0}, Create Time/Date: Thu Mar 19 16:36:04 2026, Last Saved Time/Date: Thu Mar 19 16:36:04 2026, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
MD5:

DE601286853543C4EF8E1B804675F910

SHA1:

05C17EBF9BDFCE1FBED1196DD72885DFAAD1D77F

SHA256:

18EA4970EAC7CC6539D211ACD268C01903C5C999B2FB3381A364FD17FDB3EFA9

SSDEEP:

49152:jkwh+WMTX85ZINxRlV8TiOrPu+tEu5RNP1FDw6W1cQ/hMkJo+asD+87SiSa7prml:ovJTX8HINxRsT9rPu+tEM/VwX1cQqA+r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Proxy execution via Explorer

      • msiexec.exe (PID: 2960)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1352)

    • ETHERHIDING has been detected (SURICATA)

      • powershell.exe (PID: 1352)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1352)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2452)

    • The process executes VB scripts

      • wscript.exe (PID: 6732)
      • wscript.exe (PID: 7920)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6732)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6732)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6732)
      • wscript.exe (PID: 7920)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6732)
      • cmd.exe (PID: 4956)
      • wscript.exe (PID: 7920)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7832)
      • cmd.exe (PID: 5584)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7832)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 1352)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Checks for external IP

      • svchost.exe (PID: 2232)
      • powershell.exe (PID: 1352)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 1352)

    • The process checks if it is being run in the virtual environment

      • powershell.exe (PID: 1352)

    • Manipulates environment variables

      • powershell.exe (PID: 1352)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1352)

  • INFO

    • Manages system restore points

      • SrTasks.exe (PID: 5132)

    • Checks supported languages

      • msiexec.exe (PID: 2960)
      • chcp.com (PID: 8032)
      • chcp.com (PID: 7712)

    • An automatically generated document

      • msiexec.exe (PID: 7476)

    • Reads the computer name

      • msiexec.exe (PID: 2960)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5788)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5788)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2960)

    • There is functionality for taking screenshot (YARA)

      • msiexec.exe (PID: 7476)

    • Search a value from a registry key

      • reg.exe (PID: 2324)
      • reg.exe (PID: 4300)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Creates files in the program directory

      • powershell.exe (PID: 1352)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Disables trace logs

      • powershell.exe (PID: 1352)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: unpack-basic-3.2-x64
Author: Microsoft Update
Keywords: Installer
Comments: unpack-basic-3.2-x64
Template: Intel;1033
RevisionNumber: {C1426EAC-4515-4DB8-9944-4E5F934A75E0}
CreateDate: 2026:03:19 16:36:04
ModifyDate: 2026:03:19 16:36:04
Pages: 200
Words: 10
Software: Windows Installer XML Toolset (3.11.1.2318)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
26
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs chcp.com no specs reg.exe no specs find.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs chcp.com no specs reg.exe no specs find.exe no specs ping.exe no specs ping.exe no specs #ETHERHIDING powershell.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1176ping -n 3 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
1352powershell -w hidden -c "iex($env:_t)"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324reg query "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
2328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2368find "0x0" C:\Windows\SysWOW64\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\find.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
2452C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2812ping -n 2 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
2880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2960C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
17 647
Read events
17 470
Write events
168
Delete events
9

Modification events

(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000004A36AF00DFB7DC01900B0000180B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000004A36AF00DFB7DC01900B0000180B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000D5581301DFB7DC01900B0000180B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000EEBA1501DFB7DC01900B0000180B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000006D1A5601DFB7DC0194090000841C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000058F61001DFB7DC01900B0000180B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000058F61001DFB7DC01900B0000180B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
15
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000A9A54001DFB7DC01900B0000180B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000A9A54001DFB7DC01900B0000B8160000E80300000100000000000000000000001CE3DB6D4E458C4FB8D392B2F046852600000000000000000000000000000000
Executable files
2
Suspicious files
22
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2960msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2960msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:9245868E86D6339C0E7A219E57995AB5
SHA256:178A91BE5D88E7B7C33C59AE17096BC33B187F9C9A42BE41CBFF31BB91C9634E
2960msiexec.exeC:\Windows\Temp\~DFC3D9A5121B00B875.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
2960msiexec.exeC:\Users\admin\AppData\Local\MicrosoftRuntime_cf96\svchost_032d.vbstext
MD5:1B314035910595826E894E9632F0290E
SHA256:C65C91B80DF99E528E7809B999992A88B01760B1A7D4357AFAB2584E0F94A719
2960msiexec.exeC:\Windows\Installer\e3fd5.msiexecutable
MD5:DE601286853543C4EF8E1B804675F910
SHA256:18EA4970EAC7CC6539D211ACD268C01903C5C999B2FB3381A364FD17FDB3EFA9
2960msiexec.exeC:\Windows\Installer\e3fd3.msiexecutable
MD5:DE601286853543C4EF8E1B804675F910
SHA256:18EA4970EAC7CC6539D211ACD268C01903C5C999B2FB3381A364FD17FDB3EFA9
2960msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{6ddbe31c-454e-4f8c-b8d3-92b2f0468526}_OnDiskSnapshotPropbinary
MD5:9245868E86D6339C0E7A219E57995AB5
SHA256:178A91BE5D88E7B7C33C59AE17096BC33B187F9C9A42BE41CBFF31BB91C9634E
2960msiexec.exeC:\Windows\Installer\MSI40AE.tmpbinary
MD5:113FE687C86BE4F70FFA4303AF41A0D3
SHA256:BF870A46328F7CAECFB3B70B146BE3A6B742B2790342734E3C362B5ED0C213D4
2960msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:19A2854144B63A8F7617A6F225019B12
SHA256:7523C62ABDB7628C5A9DAD8F97D8D8C5C040EDE36535E531A8A3748B6CAE7E00
2960msiexec.exeC:\Windows\Temp\~DF7955B9BDBD3C93E8.TMPbinary
MD5:A351A492DC6F5E66543178C99B6C17C7
SHA256:0A35526CE1A8283903901DA335EDFB31C1D3E70FDF358CCF90B14DB4EE57BE4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
634
TCP/UDP connections
169
DNS requests
105
Threats
70

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
US
binary
1.24 Kb
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
4872
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
4872
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
403
23.52.181.212:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
US
binary
386 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4872
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7352
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4872
svchost.exe
23.48.23.173:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4872
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4872
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.250.201.174
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.156
  • 23.48.23.159
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.161
  • 23.48.23.147
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.178
  • 23.48.23.193
  • 23.48.23.191
  • 23.48.23.188
  • 23.48.23.177
  • 23.48.23.179
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 23.52.181.212
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.128
  • 40.126.31.129
  • 20.190.159.4
  • 40.126.31.3
  • 20.190.159.129
  • 40.126.31.130
  • 20.190.159.131
whitelisted
go.microsoft.com
  • 2.23.246.9
whitelisted
api.nuget.org
  • 13.107.246.45
  • 13.107.213.45
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
1352
powershell.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (bsc-dataseed .binance .org)
2232
svchost.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-dataseed .binance .org)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google App Engine (appspot .com)
1352
powershell.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (polygon .drpc .org in TLS SNI)
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (polygon .drpc .org)
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (polygon .gateway .tenderly .co)
1352
powershell.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (gateway .tenderly .co in TLS SNI)
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (gateway .tenderly .co)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bootstrapper-Roblox.msi