File name:

Voidstrap.exe

Full analysis: https://app.any.run/tasks/14e31b46-33bf-44b3-98d7-8d2f27ef64aa
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 23, 2025, 05:50:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
roblox
arch-doc
amsi-bypass
arch-scr
arch-exec
auto-reg
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

1C5CB377C9B9D80DE42E3DAB6590E3A1

SHA1:

37FCC472B4E405461CFA31B894D9B2C89C7A44CC

SHA256:

877DF2C5DB41198707DC41A17E0240DEEEE4F00D66E9A2AEDCC17F62C3DDA6A9

SSDEEP:

786432:3IhmsLkdvf6sddkF89Xkrx9Dhridcp4kGyUv2fS/imh:32mP9f6GSG9XGDQAFGyUUS//h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 7540)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)
      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • Process drops legitimate windows executable

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7540)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)

    • Reads security settings of Internet Explorer

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • The process creates files with name similar to system file names

      • Voidstrap.exe (PID: 7308)

    • The process drops C-runtime libraries

      • Voidstrap.exe (PID: 7308)

    • Searches for installed software

      • Voidstrap.exe (PID: 7308)

    • Creates file in the systems drive root

      • EXCEL.EXE (PID: 7944)

    • Opens a file (MACROS)

      • EXCEL.EXE (PID: 7944)

    • Reads data from a file (MACROS)

      • EXCEL.EXE (PID: 7944)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • Voidstrap.exe (PID: 7308)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 7540)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 988)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7920)
      • MicrosoftEdgeUpdate.exe (PID: 5704)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5696)

  • INFO

    • The sample compiled with english language support

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)
      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • Checks supported languages

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7540)
      • MicrosoftEdgeUpdate.exe (PID: 5704)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)
      • MicrosoftEdgeUpdate.exe (PID: 7420)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5696)
      • MicrosoftEdgeUpdate.exe (PID: 7216)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 988)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7920)
      • MicrosoftEdgeUpdate.exe (PID: 7720)
      • MicrosoftEdgeUpdateCore.exe (PID: 4972)
      • MicrosoftEdgeUpdate.exe (PID: 5896)

    • Create files in a temporary directory

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)

    • Creates files in the program directory

      • Voidstrap.exe (PID: 7308)

    • Process checks computer location settings

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • Reads the computer name

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7540)
      • MicrosoftEdgeUpdate.exe (PID: 5704)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 988)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7920)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5696)
      • MicrosoftEdgeUpdate.exe (PID: 7420)
      • MicrosoftEdgeUpdate.exe (PID: 7216)
      • MicrosoftEdgeUpdate.exe (PID: 7720)
      • MicrosoftEdgeUpdate.exe (PID: 5896)
      • MicrosoftEdgeUpdateCore.exe (PID: 4972)

    • Manual execution by a user

      • wscript.exe (PID: 1196)
      • wscript.exe (PID: 1148)
      • notepad.exe (PID: 7304)
      • EXCEL.EXE (PID: 7944)
      • EXCEL.EXE (PID: 5484)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7840)
      • notepad.exe (PID: 2876)
      • MicrosoftEdgeUpdateCore.exe (PID: 4972)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7304)
      • notepad.exe (PID: 2876)

    • Creates a software uninstall entry

      • Voidstrap.exe (PID: 7308)

    • Creates files or folders in the user directory

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • Reads the software policy settings

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7420)
      • slui.exe (PID: 7960)
      • MicrosoftEdgeUpdate.exe (PID: 7720)

    • Checks proxy server information

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7420)
      • slui.exe (PID: 7960)
      • MicrosoftEdgeUpdate.exe (PID: 7720)

    • Reads the machine GUID from the registry

      • Voidstrap.exe (PID: 7308)
      • MicrosoftEdgeUpdate.exe (PID: 7420)
      • MicrosoftEdgeUpdate.exe (PID: 7720)

    • ROBLOX mutex has been found

      • Voidstrap.exe (PID: 7308)

    • Launching a file from a Registry key

      • MicrosoftEdgeUpdate.exe (PID: 7540)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 7420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:15 03:21:18+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 6275584
InitializedDataSize: 2071040
UninitializedDataSize: -
EntryPoint: 0x5a19c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.6.3
ProductVersionNumber: 1.0.6.3
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Voidstrap
FileDescription: Voidstrap
FileVersion: 1.0.6.3
InternalName: Voidstrap.dll
LegalCopyright:
OriginalFileName: Voidstrap.dll
ProductName: Voidstrap
ProductVersion: 1.0.6.3+ed786798516206263cfc13c3647c2a0ce17bdcd3
AssemblyVersion: 1.0.6.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
19
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start voidstrap.exe slui.exe excel.exe excel.exe wscript.exe no specs wscript.exe no specs notepad.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe notepad.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdate.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
988"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.45\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1148"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\PerformanceConfigs\rofiler.tools.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\PerformanceConfigs\rofiler.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2876"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\gamecontrollerdb.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4972"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateCore.exe"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateCore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.45\microsoftedgeupdatecore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
5484"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\CoreScriptLocalizationTrimmed.csvC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll
5696"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.45\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.45\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5704"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
5896"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /cC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateCore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
7216"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource taggedmi /sessionid "{32C0A3BE-B4F3-4BE0-8C75-D300494E6058}"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
41 178
Read events
38 656
Write events
2 456
Delete events
66

Modification events

(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Voidstrap\Voidstrap.exe,0
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:DisplayName
Value:
Voidstrap
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:DisplayVersion
Value:
1.0.6.3
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:InstallDate
Value:
20251023
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Voidstrap
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:NoRepair
Value:
1
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:Publisher
Value:
Voidstrap
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:ModifyPath
Value:
"C:\Users\admin\AppData\Local\Voidstrap\Voidstrap.exe" -settings
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Voidstrap\Voidstrap.exe" -uninstall -quiet
(PID) Process:(7308) Voidstrap.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Voidstrap
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Voidstrap\Voidstrap.exe" -uninstall
Executable files
487
Suspicious files
52
Text files
450
Unknown types
5

Dropped files

PID
Process
Filename
Type
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\License - Fira Code.txttext
MD5:1F319CA1887AFC3591B1DCCDD8530C58
SHA256:1D41E10031AB125302780A05EC4C91D218E47DB0C7E37CF315CCE5E608CDC25C
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\License - Fluent System Icons.txttext
MD5:01DFEC1B701EF4BB4884468C1A9C5693
SHA256:69BC45DC42B9ACB96A69823ADBC6AE538374E3C0BDE169B855B32C48EAAEF52F
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\License - Segoe Fluent Icons.txttext
MD5:9ED1459E7AB3A73649F91CAFC7179B07
SHA256:9E90BA20D2288CE1625E6126A9BCA3E1FC26B38F85620D1F92201A165001813F
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\License - VirtualizingWrapPanel.txttext
MD5:C1D204614D2CB57914BB8583E4153EC5
SHA256:849E6087D42BF504BCEFE4C6FE01D7481123A8AFF14EED030B12528C4E6AE0B1
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\Voidstrap.runtimeconfig.jsonbinary
MD5:23FC94F51E416A0475A4C3B1CAAF0DFB
SHA256:DD3E0515C3764DDF9A85E47A03E5298EACD75585D5615146BFEEB733D064A1E5
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\Voidstrap.dllexecutable
MD5:D824822F021BD65C1F3A3B89761998F6
SHA256:D51DCF82FF66E1B69973FEB7DDC762F93455926FBE1467627A35046917243A5E
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\runtimes\win-x64\native\WebView2Loader.dllexecutable
MD5:11D7BD8636ADD5F848A99586718212B1
SHA256:2F965E10AED3B356A408978A0E6D74EB86E3E722DD008FA9AD39F68884479E85
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\ar\Voidstrap.resources.dllexecutable
MD5:80D62B3BE26F077DD009024C84CE1C95
SHA256:3F5FB53C583FACDBEB6F477445EC90B7A0220721EDFBBCC86E630D7DBF0A4AD6
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\hu\Voidstrap.resources.dllexecutable
MD5:C51E83864047D02A72CAF7045CB78DF7
SHA256:6DBCDE5D1DAEA4E5E191780216ADB66BC449812B62385FBA126C129AED2D2F78
7308Voidstrap.exeC:\Users\admin\AppData\Local\Temp\.net\Voidstrap\1c8c\fi\Voidstrap.resources.dllexecutable
MD5:194C1353AFF0A71B9EE2B5233C7FB823
SHA256:4076798DC480505A2712AA09F4403B7EFC29209FBF2680B55703BB7F6922F31F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
90
DNS requests
32
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
6336
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
US
xml
11.3 Kb
unknown
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251023T055022Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=f11a60c6a46446ee9dca03fd28b4cb35&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4273789&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1664319&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
US
binary
3.21 Kb
unknown
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251023T055022Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=13f6744923e34041b6e588faa21f2568&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4273789&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1664319&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
US
binary
1.34 Kb
unknown
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
US
xml
11.3 Kb
unknown
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251023T055022Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=a207499d409745dfba5c92f70d800052&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4273789&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1664319&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
US
binary
3.20 Kb
unknown
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
unknown
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
unknown
1680
SIHClient.exe
GET
200
104.123.41.162:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
NL
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6336
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.27.74:443
www.bing.com
Akamai International B.V.
NL
whitelisted
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
192.168.100.255:138
whitelisted
6336
svchost.exe
172.66.2.5:80
ocsp.digicert.com
US
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.64
  • 20.190.160.132
  • 20.190.160.65
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.76
whitelisted
www.bing.com
  • 2.16.27.74
  • 2.16.27.98
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 172.217.18.14
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 104.123.41.162
whitelisted

Threats

PID
Process
Class
Message
8064
svchost.exe
Misc activity
ET INFO Packed Executable Download
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Misc activity
ET INFO EXE - Served Inline HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Voidstrap.exe