File name:

Roblox.exe

Full analysis: https://app.any.run/tasks/c5c4a2a3-4da6-4aa3-a08c-4bb2b76d0fdb
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 06, 2025, 14:29:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
api-base64
zerotrace
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

C84753656803B75B3C3E94F020B32D40

SHA1:

A7B9081EA0D85503BC622AA0A421F61AECCB7B92

SHA256:

A6D1CDB743C342F5006713DF4960C29718F09F8EF5EF514DC08AE82E879D57F2

SSDEEP:

49152:tWOlJjyULcWg4q2vX9OLQTM+acHEGSEGGVju0yxFXj0ia+CtbQRfrYIvV8ARgzDO:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • grpconv.exe (PID: 6676)
      • grpconv.exe (PID: 1088)
      • grpconv.exe (PID: 2152)
      • grpconv.exe (PID: 7924)
      • grpconv.exe (PID: 7852)

    • Actions looks like stealing of personal data

      • grpconv.exe (PID: 6676)
      • grpconv.exe (PID: 2152)
      • grpconv.exe (PID: 1088)
      • grpconv.exe (PID: 8152)
      • grpconv.exe (PID: 7924)
      • Roblox.exe (PID: 2040)
      • grpconv.exe (PID: 7852)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4608)

    • ZEROTRACE has been detected

      • Roblox.exe (PID: 2040)

    • Changes powershell execution policy (Bypass)

      • Roblox.exe (PID: 2040)

    • Suspicious browser debugging (Possible cookie theft)

      • chrome.exe (PID: 7280)
      • chrome.exe (PID: 6800)
      • msedge.exe (PID: 7816)
      • msedge.exe (PID: 7564)
      • msedge.exe (PID: 2104)
      • msedge.exe (PID: 5304)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Roblox.exe (PID: 1348)

    • Application launched itself

      • Roblox.exe (PID: 1348)

    • Multiple wallet extension IDs have been found

      • Roblox.exe (PID: 2040)

    • Starts POWERSHELL.EXE for commands execution

      • Roblox.exe (PID: 2040)

    • The process executes Powershell scripts

      • Roblox.exe (PID: 2040)

    • MS Edge headless start

      • msedge.exe (PID: 7816)
      • msedge.exe (PID: 8168)
      • msedge.exe (PID: 2104)
      • msedge.exe (PID: 6404)
      • msedge.exe (PID: 4452)
      • msedge.exe (PID: 7564)
      • msedge.exe (PID: 5304)
      • msedge.exe (PID: 2796)

  • INFO

    • Reads the computer name

      • Roblox.exe (PID: 1348)
      • Roblox.exe (PID: 2040)

    • Checks supported languages

      • Roblox.exe (PID: 1348)
      • Roblox.exe (PID: 2040)

    • Process checks computer location settings

      • Roblox.exe (PID: 1348)

    • Create files in a temporary directory

      • grpconv.exe (PID: 2852)
      • grpconv.exe (PID: 2616)
      • grpconv.exe (PID: 2152)
      • Roblox.exe (PID: 2040)
      • grpconv.exe (PID: 7924)

    • Reads the machine GUID from the registry

      • Roblox.exe (PID: 2040)

    • Creates files or folders in the user directory

      • grpconv.exe (PID: 2852)
      • grpconv.exe (PID: 2616)
      • grpconv.exe (PID: 1244)
      • grpconv.exe (PID: 6456)
      • grpconv.exe (PID: 6676)
      • grpconv.exe (PID: 6880)
      • grpconv.exe (PID: 3996)
      • grpconv.exe (PID: 1088)
      • grpconv.exe (PID: 8076)
      • grpconv.exe (PID: 8152)
      • grpconv.exe (PID: 2152)
      • grpconv.exe (PID: 7852)
      • grpconv.exe (PID: 7924)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • Roblox.exe (PID: 2040)

    • Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')

      • Roblox.exe (PID: 2040)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • Roblox.exe (PID: 2040)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • Roblox.exe (PID: 2040)

    • Reads Windows Product ID

      • grpconv.exe (PID: 8076)

    • Reads Microsoft Office registry keys

      • grpconv.exe (PID: 8076)

    • Reads security settings of Internet Explorer

      • grpconv.exe (PID: 7924)

    • Reads CPU info

      • Roblox.exe (PID: 2040)

    • Disables trace logs

      • powershell.exe (PID: 4608)

    • Checks proxy server information

      • powershell.exe (PID: 4608)

    • Application launched itself

      • chrome.exe (PID: 7280)
      • chrome.exe (PID: 6800)
      • msedge.exe (PID: 7816)
      • msedge.exe (PID: 2104)
      • msedge.exe (PID: 7564)
      • msedge.exe (PID: 5304)

    • Manual execution by a user

      • msedge.exe (PID: 2104)
      • msedge.exe (PID: 5304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2102:03:16 01:25:54+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 11233280
InitializedDataSize: 6656
UninitializedDataSize: -
EntryPoint: 0xab864e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: ZeroTraceOfficialStub
FileVersion: 1.0.0.0
InternalName: ZeroTraceOfficialStub.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: ZeroTraceOfficialStub.exe
ProductName: ZeroTraceOfficialStub
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
201
Monitored processes
75
Malicious processes
15
Suspicious processes
0

Behavior graph

Click at the process to see the details
start roblox.exe no specs #ZEROTRACE roblox.exe grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe grpconv.exe grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe grpconv.exe no specs grpconv.exe grpconv.exe grpconv.exe no specs grpconv.exe powershell.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs slui.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-quic --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2344,i,1456886009063200243,7888339440255379617,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1088"C:\Windows\SysWOW64\grpconv.exe" /stext "C:\Users\admin\AppData\Roaming\Bookmarks-output_20250606143006.txt"C:\Windows\SysWOW64\grpconv.exe
Roblox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1244"C:\Windows\SysWOW64\grpconv.exe" /stext "C:\Users\admin\AppData\Roaming\InstalledApps-output_20250606143006.txt"C:\Windows\SysWOW64\grpconv.exeRoblox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1348"C:\Users\admin\AppData\Local\Temp\Roblox.exe" C:\Users\admin\AppData\Local\Temp\Roblox.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ZeroTraceOfficialStub
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\roblox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --disable-quic --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=1936,i,526251604764109682,17484936717021231539,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1600"C:\Windows\SysWOW64\grpconv.exe" /shtml "C:\Users\admin\AppData\Roaming\watch-output_20250606143006.html"C:\Windows\SysWOW64\grpconv.exeRoblox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1660"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-quic --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --mojo-platform-channel-handle=1940 --field-trial-handle=1956,i,2450134224032977437,13462326901307786203,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
4294967295
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1764C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2040"C:\Users\admin\AppData\Local\Temp\Roblox.exe" C:\Users\admin\AppData\Local\Temp\Roblox.exe
Roblox.exe
User:
admin
Integrity Level:
HIGH
Description:
ZeroTraceOfficialStub
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\roblox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2104"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless=new --disable-gpu --no-sandbox --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --noerrdialogs --no-first-run --flag-switches-begin --disable-quic --flag-switches-end --do-not-de-elevateC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
4294967295
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
19 567
Read events
19 510
Write events
57
Delete events
0

Modification events

(PID) Process:(1348) Roblox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
6DFB426800000000
(PID) Process:(1348) Roblox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7924) grpconv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7924) grpconv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7924) grpconv.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7280) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7280) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7280) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7280) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7280) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
Executable files
0
Suspicious files
157
Text files
120
Unknown types
14

Dropped files

PID
Process
Filename
Type
2852grpconv.exeC:\Users\admin\AppData\Local\Temp\ecv567.tmp
MD5:
SHA256:
2152grpconv.exeC:\Users\admin\AppData\Local\Temp\bhv2D71.tmp
MD5:
SHA256:
2152grpconv.exeC:\Users\admin\AppData\Local\Temp\sqp2E7B.tmp
MD5:
SHA256:
7924grpconv.exeC:\Users\admin\AppData\Local\Temp\bhv6A7A.tmp
MD5:
SHA256:
2852grpconv.exeC:\Users\admin\AppData\Roaming\AlternativeEdgeCookies-output_20250606143006.txttext
MD5:5D74003A2B083FE01A9BAD7C7043648D
SHA256:F779BBC6238A79AB55015E796BB5DCCDFFD6244DC1792F3056ADBF952EB2EA10
2152grpconv.exeC:\Users\admin\AppData\Local\Temp\sqp2E7B.tmp-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6456grpconv.exeC:\Users\admin\AppData\Roaming\watch-output_20250606143006.htmlhtml
MD5:3D93041EBDDB529D2AE3F5C0192FE444
SHA256:0705DAA7A978A33ABB9D43B519EF5020F08939955BF0F2FCDA1A0ED35B776A11
1244grpconv.exeC:\Users\admin\AppData\Roaming\InstalledApps-output_20250606143006.txttext
MD5:CE4FA4FC43BE5D8FCB6EC440FD4F615F
SHA256:0EFA9ED04370A623CCC546F41BA0F31BD06AD6E1F41AD79B076C7F7CF8FDFC4F
6676grpconv.exeC:\Users\admin\AppData\Roaming\ChromeV20-output_20250606143006.txttext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2152grpconv.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\places.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
63
DNS requests
77
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8116
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8116
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7628
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1660
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7628
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.131
  • 20.190.159.129
  • 40.126.31.131
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
clientservices.googleapis.com
  • 142.250.184.227
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Roblox.exe