File name:

Roblox Fix 2.0 by Sexsoldier.rar

Full analysis: https://app.any.run/tasks/e00eb7d0-0f92-4674-aefd-99b07341ad99
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 14, 2026, 07:30:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
salatstealer
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BE4E0479627B9A5BE0EFF143CE8F24BD

SHA1:

3F678997C75D6EE658B6CBB12A7EF7B9312CA08F

SHA256:

CE0B0DDD5F95F9A0235FF60D1242300940E15ABAC602AD5DECFDB3682257203F

SSDEEP:

98304:+kd28Q1ZHU/mcbkNjfkb9wkLGrFnSj1Wk499bK8mPetGX1iOPiVlHxqNRKx3Myyo:xBrJQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • svchost.exe (PID: 4300)

    • SALATSTEALER mutex has been found

      • svchost.exe (PID: 4368)

    • SALATSTEALER has been detected (SURICATA)

      • svchost.exe (PID: 4368)

    • SALATSTEALER has been detected (YARA)

      • svchost.exe (PID: 4368)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • conhost.exe (PID: 7088)

    • Reads the date of Windows installation

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)

    • The process creates files with name similar to system file names

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • conhost.exe (PID: 7088)

    • Starts itself from another location

      • conhost.exe (PID: 7088)

    • Application launched itself

      • svchost.exe (PID: 8716)

    • Multiple wallet extension IDs have been found

      • svchost.exe (PID: 4368)

  • INFO

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1368)
      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • svchost.exe (PID: 8716)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1368)

    • Reads the computer name

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • conhost.exe (PID: 7088)
      • Roblox FIX by Sexsoldier.exe (PID: 8624)
      • svchost.exe (PID: 4300)
      • svchost.exe (PID: 8716)
      • svchost.exe (PID: 4368)

    • Checks supported languages

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • Roblox FIX by Sexsoldier.exe (PID: 8624)
      • conhost.exe (PID: 7088)
      • svchost.exe (PID: 8716)
      • svchost.exe (PID: 4300)
      • svchost.exe (PID: 4368)

    • Creates files or folders in the user directory

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • conhost.exe (PID: 7088)

    • Process checks computer location settings

      • Roblox Fix 2.0 by Sexsoldier.exe (PID: 5100)
      • svchost.exe (PID: 8716)

    • Create files in a temporary directory

      • conhost.exe (PID: 7088)
      • svchost.exe (PID: 4300)

    • Reads the machine GUID from the registry

      • Roblox FIX by Sexsoldier.exe (PID: 8624)
      • svchost.exe (PID: 8716)
      • svchost.exe (PID: 4368)

    • Launching a file from a Registry key

      • svchost.exe (PID: 4300)

    • Detects GO elliptic curve encryption (YARA)

      • svchost.exe (PID: 4368)

    • UPX packer has been detected

      • svchost.exe (PID: 4368)

    • Application based on Golang

      • svchost.exe (PID: 4368)

    • There is functionality for taking screenshot (YARA)

      • svchost.exe (PID: 4368)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • svchost.exe (PID: 4368)

    • Found Base64 encoded file access via PowerShell (YARA)

      • svchost.exe (PID: 4368)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • svchost.exe (PID: 4368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
7
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe roblox fix 2.0 by sexsoldier.exe conhost.exe roblox fix by sexsoldier.exe no specs svchost.exe no specs svchost.exe #SALATSTEALER svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1368"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Roblox Fix 2.0 by Sexsoldier.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4300"C:\Users\admin\AppData\Roaming\SystemData\svchost.exe"C:\Users\admin\AppData\Roaming\SystemData\svchost.exe
conhost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
svchost
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\systemdata\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4368"C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exe" C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\mergedapps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
5100"C:\Users\admin\AppData\Local\Temp\Rar$EXb1368.7848\Roblox Fix 2.0 by Sexsoldier\Roblox Fix 2.0 by Sexsoldier.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1368.7848\Roblox Fix 2.0 by Sexsoldier\Roblox Fix 2.0 by Sexsoldier.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1368.7848\roblox fix 2.0 by sexsoldier\roblox fix 2.0 by sexsoldier.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7088"C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\conhost.exe" C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\conhost.exe
Roblox Fix 2.0 by Sexsoldier.exe
User:
admin
Integrity Level:
MEDIUM
Description:
svchost
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\mergedapps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
8624"C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\Roblox FIX by Sexsoldier.exe" C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\Roblox FIX by Sexsoldier.exeRoblox Fix 2.0 by Sexsoldier.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Roblox FIX by Sexsoldier
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\mergedapps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\roblox fix by sexsoldier.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
8716"C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exe" C:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exeRoblox Fix 2.0 by Sexsoldier.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\mergedapps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
Total events
5 434
Read events
5 410
Write events
24
Delete events
0

Modification events

(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Roblox Fix 2.0 by Sexsoldier.rar
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1368) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
5
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5100Roblox Fix 2.0 by Sexsoldier.exeC:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\conhost.exeexecutable
MD5:CE6F123A3741231AF14972867F86B2C3
SHA256:6AE1841406D2ABDC20FEE990795610B87FA67F0F2BD8B018A98B13E87FEE8BAE
1368WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1368.7848\Roblox Fix 2.0 by Sexsoldier\Roblox Fix 2.0 by Sexsoldier.exeexecutable
MD5:3B3ADE601CD234AAC9621DA96A34C53C
SHA256:51A7AA7DE6C87CE15CEBD41BE6E1DDE944932E9742C89F78AD9CA804E73993BD
5100Roblox Fix 2.0 by Sexsoldier.exeC:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\svchost.exeexecutable
MD5:EB664EBBC7C3C6101CCB308CF5AE464C
SHA256:F69081853D51CE7432E0237461068C0716B3DF2010F50B9883561CE9616ED73A
7088conhost.exeC:\Users\admin\AppData\Local\Temp\autolauncher_log.txttext
MD5:6D12A5083E87B2C8095127542118A99B
SHA256:24E3C951BEA754766D9714919393504B70962B04558AADD8691995993ACDD950
7088conhost.exeC:\Users\admin\AppData\Roaming\SystemData\svchost.exeexecutable
MD5:CE6F123A3741231AF14972867F86B2C3
SHA256:6AE1841406D2ABDC20FEE990795610B87FA67F0F2BD8B018A98B13E87FEE8BAE
5100Roblox Fix 2.0 by Sexsoldier.exeC:\Users\admin\AppData\Local\MergedApps_03e80cc2-aef8-4ed2-9595-5677a0eb03ae\Roblox FIX by Sexsoldier.exeexecutable
MD5:B40F6316FA4250C7778428739F234D97
SHA256:A3E76A650FB0F853027B2BDD10802F28B34D422607C5252B3311B62530032C53
4300svchost.exeC:\Users\admin\AppData\Local\Temp\autolauncher_tracking.txttext
MD5:E5A0BB59984C5487C8818C502F6D712B
SHA256:D67EC27C2538CF731B9B5AC8F2D043632B5379321B6FC8519436E1884E659847
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
27
DNS requests
15
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6320
svchost.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
356
svchost.exe
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
3576
SIHClient.exe
GET
304
74.179.77.204:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
356
svchost.exe
POST
400
20.190.160.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
356
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
3576
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
3576
SIHClient.exe
GET
200
74.179.77.204:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
3576
SIHClient.exe
GET
304
74.179.77.204:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
356
svchost.exe
POST
400
20.190.160.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6320
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3344
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
356
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
356
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
6320
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6320
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.251.36.110
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.4
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.72
  • 20.190.160.67
  • 20.190.160.64
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
whitelisted

Threats

PID
Process
Class
Message
6320
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
4368
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
4368
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
4368
svchost.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
4368
svchost.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Roblox Fix 2.0 by Sexsoldier.rar