File name:

Bootstrapper-Roblox.msi

Full analysis: https://app.any.run/tasks/c3a7f50f-76d3-4e24-bfdd-b18aebaffcb1
Verdict: Malicious activity
Analysis date: March 19, 2026, 20:28:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
susp-powershell
etherhiding
evasion
anti-evasion
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: unpack-basic-3.2-x64, Author: Microsoft Update, Keywords: Installer, Comments: unpack-basic-3.2-x64, Template: Intel;1033, Revision Number: {C1426EAC-4515-4DB8-9944-4E5F934A75E0}, Create Time/Date: Thu Mar 19 16:36:04 2026, Last Saved Time/Date: Thu Mar 19 16:36:04 2026, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
MD5:

DE601286853543C4EF8E1B804675F910

SHA1:

05C17EBF9BDFCE1FBED1196DD72885DFAAD1D77F

SHA256:

18EA4970EAC7CC6539D211ACD268C01903C5C999B2FB3381A364FD17FDB3EFA9

SSDEEP:

49152:jkwh+WMTX85ZINxRlV8TiOrPu+tEu5RNP1FDw6W1cQ/hMkJo+asD+87SiSa7prml:ovJTX8HINxRsT9rPu+tEM/VwX1cQqA+r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Proxy execution via Explorer

      • msiexec.exe (PID: 2960)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1352)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1352)

    • ETHERHIDING has been detected (SURICATA)

      • powershell.exe (PID: 1352)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2452)

    • The process executes VB scripts

      • wscript.exe (PID: 6732)
      • wscript.exe (PID: 7920)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6732)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6732)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6732)
      • wscript.exe (PID: 7920)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6732)
      • cmd.exe (PID: 4956)
      • wscript.exe (PID: 7920)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 1352)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7832)

    • Manipulates environment variables

      • powershell.exe (PID: 1352)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Checks for external IP

      • powershell.exe (PID: 1352)
      • svchost.exe (PID: 2232)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 1352)

    • The process checks if it is being run in the virtual environment

      • powershell.exe (PID: 1352)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2960)
      • chcp.com (PID: 8032)
      • chcp.com (PID: 7712)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2960)

    • Manages system restore points

      • SrTasks.exe (PID: 5132)

    • Reads the computer name

      • msiexec.exe (PID: 2960)

    • An automatically generated document

      • msiexec.exe (PID: 7476)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5788)

    • There is functionality for taking screenshot (YARA)

      • msiexec.exe (PID: 7476)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5788)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5584)
      • cmd.exe (PID: 7832)

    • Search a value from a registry key

      • reg.exe (PID: 2324)
      • reg.exe (PID: 4300)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Disables trace logs

      • powershell.exe (PID: 1352)

    • Creates files in the program directory

      • powershell.exe (PID: 1352)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1352)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: unpack-basic-3.2-x64
Author: Microsoft Update
Keywords: Installer
Comments: unpack-basic-3.2-x64
Template: Intel;1033
RevisionNumber: {C1426EAC-4515-4DB8-9944-4E5F934A75E0}
CreateDate: 2026:03:19 16:36:04
ModifyDate: 2026:03:19 16:36:04
Pages: 200
Words: 10
Software: Windows Installer XML Toolset (3.11.1.2318)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
26
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1176ping -n 3 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
1352powershell -w hidden -c "iex($env:_t)"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324reg query "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
2328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2368find "0x0" C:\Windows\SysWOW64\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\find.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
2452C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2812ping -n 2 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
2880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2960C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
17 647
Read events
17 470
Write events
168
Delete events
9

Modification events

(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000004A36AF00DFB7DC01900B0000180B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000004A36AF00DFB7DC01900B0000180B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000D5581301DFB7DC01900B0000180B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000EEBA1501DFB7DC01900B0000180B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2452) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000006D1A5601DFB7DC0194090000841C0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000058F61001DFB7DC01900B0000180B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000058F61001DFB7DC01900B0000180B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
15
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000A9A54001DFB7DC01900B0000180B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2960) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000A9A54001DFB7DC01900B0000B8160000E80300000100000000000000000000001CE3DB6D4E458C4FB8D392B2F046852600000000000000000000000000000000
Executable files
2
Suspicious files
22
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2960msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2960msiexec.exeC:\Windows\Temp\~DF7955B9BDBD3C93E8.TMPbinary
MD5:A351A492DC6F5E66543178C99B6C17C7
SHA256:0A35526CE1A8283903901DA335EDFB31C1D3E70FDF358CCF90B14DB4EE57BE4B
2960msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{6ddbe31c-454e-4f8c-b8d3-92b2f0468526}_OnDiskSnapshotPropbinary
MD5:9245868E86D6339C0E7A219E57995AB5
SHA256:178A91BE5D88E7B7C33C59AE17096BC33B187F9C9A42BE41CBFF31BB91C9634E
2960msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:9245868E86D6339C0E7A219E57995AB5
SHA256:178A91BE5D88E7B7C33C59AE17096BC33B187F9C9A42BE41CBFF31BB91C9634E
2960msiexec.exeC:\Windows\Installer\e3fd3.msiexecutable
MD5:DE601286853543C4EF8E1B804675F910
SHA256:18EA4970EAC7CC6539D211ACD268C01903C5C999B2FB3381A364FD17FDB3EFA9
2960msiexec.exeC:\Windows\Installer\MSI40AE.tmpbinary
MD5:113FE687C86BE4F70FFA4303AF41A0D3
SHA256:BF870A46328F7CAECFB3B70B146BE3A6B742B2790342734E3C362B5ED0C213D4
2960msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:A351A492DC6F5E66543178C99B6C17C7
SHA256:0A35526CE1A8283903901DA335EDFB31C1D3E70FDF358CCF90B14DB4EE57BE4B
2960msiexec.exeC:\Users\admin\AppData\Local\MicrosoftRuntime_cf96\telemetry_f7.tmpbinary
MD5:7908FD5294D7F93F7D9AE9EE4044EF7D
SHA256:BD68BB992571DA3746D2DD6EF2AF53F314D3C3630C119AAFF517052525263B04
2960msiexec.exeC:\Users\admin\AppData\Local\MicrosoftRuntime_cf96\svchost_032d.vbstext
MD5:1B314035910595826E894E9632F0290E
SHA256:C65C91B80DF99E528E7809B999992A88B01760B1A7D4357AFAB2584E0F94A719
2960msiexec.exeC:\Users\admin\AppData\Local\MicrosoftRuntime_cf96\svchost_7e95.battext
MD5:ABE99D1442050F71EFC2ECA60D7F2566
SHA256:C12C26D5611A06A9BA3A146FA96ADADEF4E520F28A8E3793837BF9E82AE0F4B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
634
TCP/UDP connections
169
DNS requests
105
Threats
70

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
US
1.24 Kb
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
US
binary
1.24 Kb
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
4872
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4872
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
POST
400
20.190.160.132:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4872
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7352
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4872
svchost.exe
23.48.23.173:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4872
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4872
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.250.201.174
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.156
  • 23.48.23.159
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.161
  • 23.48.23.147
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.178
  • 23.48.23.193
  • 23.48.23.191
  • 23.48.23.188
  • 23.48.23.177
  • 23.48.23.179
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 72.246.29.11
  • 23.52.181.212
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.128
  • 40.126.31.129
  • 20.190.159.4
  • 40.126.31.3
  • 20.190.159.129
  • 40.126.31.130
  • 20.190.159.131
whitelisted
go.microsoft.com
  • 2.23.246.9
whitelisted
api.nuget.org
  • 13.107.246.45
  • 13.107.213.45
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
1352
powershell.exe
Misc activity
ET INFO Observed Smart Chain Domain in TLS SNI (bsc-dataseed .binance .org)
2232
svchost.exe
Misc activity
ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-dataseed .binance .org)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google App Engine (appspot .com)
1352
powershell.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (polygon .drpc .org in TLS SNI)
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (polygon .drpc .org)
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (polygon .gateway .tenderly .co)
1352
powershell.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (gateway .tenderly .co in TLS SNI)
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (gateway .tenderly .co)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bootstrapper-Roblox.msi