| File name: | RobloxPlayerLauncher.exe |
| Full analysis: | https://app.any.run/tasks/eef65853-b57e-42ec-ab61-4dcde689a2a2 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 29, 2025, 18:51:08 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 6E5E87DA0F55258E5973E478BFAE6916 |
| SHA1: | ECEB63F9CF8E90B27CAD5F105E9B7EB477B2E4F3 |
| SHA256: | 61EC04884895FC9CB3EE046E3F8E3AF5AE58E9EA3D843613115FF8BCFFCD8489 |
| SSDEEP: | 98304:Ss0z4O73UUe3py/ktvYOGuiydv8PYNWsCFI4cQJwKqvGz4z3ZnLdLgD0EDED9dam:RYTRDRnRXLS |
MALICIOUS
No malicious indicators.SUSPICIOUS
Application launched itself
- RobloxPlayerLauncher.exe (PID: 664)
Reads security settings of Internet Explorer
- RobloxPlayerLauncher.exe (PID: 6112)
- RobloxPlayerLauncher.exe (PID: 664)
Executable content was dropped or overwritten
- RobloxPlayerLauncher.exe (PID: 664)
INFO
Reads the computer name
- RobloxPlayerLauncher.exe (PID: 664)
- RobloxPlayerLauncher.exe (PID: 6112)
The sample compiled with english language support
- RobloxPlayerLauncher.exe (PID: 664)
Checks proxy server information
- RobloxPlayerLauncher.exe (PID: 664)
- RobloxPlayerLauncher.exe (PID: 6112)
- slui.exe (PID: 616)
Create files in a temporary directory
- RobloxPlayerLauncher.exe (PID: 664)
- RobloxPlayerLauncher.exe (PID: 6112)
Checks supported languages
- RobloxPlayerLauncher.exe (PID: 6112)
- RobloxPlayerLauncher.exe (PID: 664)
Reads the software policy settings
- RobloxPlayerLauncher.exe (PID: 664)
- RobloxPlayerLauncher.exe (PID: 6112)
- slui.exe (PID: 616)
Reads the machine GUID from the registry
- RobloxPlayerLauncher.exe (PID: 6112)
- RobloxPlayerLauncher.exe (PID: 664)
ROBLOX mutex has been found
- RobloxPlayerLauncher.exe (PID: 664)
Process checks computer location settings
- RobloxPlayerLauncher.exe (PID: 664)
Creates files or folders in the user directory
- RobloxPlayerLauncher.exe (PID: 6112)
- RobloxPlayerLauncher.exe (PID: 664)
Manual execution by a user
- wscript.exe (PID: 3140)
- wscript.exe (PID: 6828)
- notepad.exe (PID: 732)
- OpenWith.exe (PID: 7052)
- OpenWith.exe (PID: 6708)
- OpenWith.exe (PID: 1748)
- OpenWith.exe (PID: 2772)
- OpenWith.exe (PID: 2800)
- OpenWith.exe (PID: 3156)
- OpenWith.exe (PID: 1912)
- wscript.exe (PID: 3304)
- notepad.exe (PID: 5352)
- OpenWith.exe (PID: 5280)
- OpenWith.exe (PID: 6668)
- OpenWith.exe (PID: 5404)
- OpenWith.exe (PID: 6036)
- OpenWith.exe (PID: 4724)
- OpenWith.exe (PID: 856)
- OpenWith.exe (PID: 4892)
- OpenWith.exe (PID: 7104)
- OpenWith.exe (PID: 2288)
- OpenWith.exe (PID: 6852)
- OpenWith.exe (PID: 5124)
- OpenWith.exe (PID: 4448)
- OpenWith.exe (PID: 4164)
- OpenWith.exe (PID: 4000)
- OpenWith.exe (PID: 2420)
- OpenWith.exe (PID: 3800)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 1912)
- OpenWith.exe (PID: 7052)
- OpenWith.exe (PID: 1748)
- OpenWith.exe (PID: 6708)
- OpenWith.exe (PID: 2772)
- OpenWith.exe (PID: 3156)
- OpenWith.exe (PID: 2800)
- OpenWith.exe (PID: 4724)
- OpenWith.exe (PID: 5280)
- OpenWith.exe (PID: 6036)
- OpenWith.exe (PID: 6668)
- OpenWith.exe (PID: 5404)
- OpenWith.exe (PID: 856)
- OpenWith.exe (PID: 7104)
- OpenWith.exe (PID: 4892)
- OpenWith.exe (PID: 2288)
- OpenWith.exe (PID: 6852)
- OpenWith.exe (PID: 5124)
- OpenWith.exe (PID: 4164)
- OpenWith.exe (PID: 4448)
- OpenWith.exe (PID: 4000)
- OpenWith.exe (PID: 3800)
- OpenWith.exe (PID: 2420)
Reads security settings of Internet Explorer
- notepad.exe (PID: 732)
- notepad.exe (PID: 5352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2049:05:04 05:21:17+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 6095360 |
| InitializedDataSize: | 2285056 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5689f2 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.6.0.16041 |
| ProductVersionNumber: | 1.6.0.16041 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Roblox Corporation |
| FileDescription: | Roblox |
| FileVersion: | 1, 6, 0, 6700713 |
| LegalCopyright: | Copyright © 2020 Roblox Corporation. All rights reserved. |
| OriginalFileName: | Roblox.exe |
| ProductName: | Roblox Bootstrapper |
| ProductVersion: | 1, 6, 0, 6700713 |
Total processes
156
Monitored processes
31
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 616 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 664 | "C:\Users\admin\Desktop\RobloxPlayerLauncher.exe" | C:\Users\admin\Desktop\RobloxPlayerLauncher.exe | explorer.exe | ||||||||||||
User: admin Company: Roblox Corporation Integrity Level: MEDIUM Description: Roblox Exit code: 4294967295 Version: 1, 6, 0, 6700713 Modules
| |||||||||||||||
| 732 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\gamecontrollerdb.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 856 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\Guru.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1748 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\fr-fr.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1912 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\pt-br.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2288 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\RobotoCondensed.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2420 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\Inconsolata.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2772 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\en-us.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2800 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\UniversalAppPatchConfig.json | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
22 960
Read events
22 947
Write events
13
Delete events
0
Modification events
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (6112) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (6112) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (6112) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Roblox |
| Operation: | write | Name: | CPath |
Value: C:\Users\admin\AppData\LocalLow\rbxcsettings.rbx | |||
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Environments |
| Operation: | write | Name: | roblox-player |
Value: roblox-player | |||
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Environments\RobloxPlayer\Channel |
| Operation: | write | Name: | www.roblox.com |
Value: | |||
| (PID) Process: | (664) RobloxPlayerLauncher.exe | Key: | HKEY_CLASSES_ROOT\roblox-studio |
| Operation: | write | Name: | URL Protocol |
Value: | |||
Executable files
3
Suspicious files
23
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\668ff9d05d1ae0db9cef62b95acf50a3.part | — | |
MD5:— | SHA256:— | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Temp\crashpad_roblox\settings.dat | binary | |
MD5:59DA67CF0C0175117131B4820776B28D | SHA256:44AD8F2FB809E748430818BA4DCF137E27E9A7DFD0704854D06539A3C8979DA2 | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\WindowsPlayer[1].json | binary | |
MD5:4C9F4AE2B93AB2F271B778CC9214C811 | SHA256:1DAB05F0F5B262FAB047315E72A9997DAB5E6E08D92C640EC037EB310C4628D4 | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\BatchIncrement[1].json | binary | |
MD5:BEDBF7D7D69748886E9B48F45C75FBBE | SHA256:B4A55CFD050F4A62B1C4831CA0AB6FFADDE1FE1C3F583917EADE12F8C6726F61 | |||
| 6112 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\BatchIncrement[1].json | binary | |
MD5:BEDBF7D7D69748886E9B48F45C75FBBE | SHA256:B4A55CFD050F4A62B1C4831CA0AB6FFADDE1FE1C3F583917EADE12F8C6726F61 | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\Desktop\Roblox Studio.lnk | binary | |
MD5:C505C3801368F15F4A97AFF34D25F97E | SHA256:48803E8A6C73663F69D385D1F7F332C5AA6EE194B4C7F7E0C466E67231CD807D | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioLauncherBeta.exe | executable | |
MD5:B877A52CBDA1658AAD12F5FA87DC7909 | SHA256:CA2116FD21B8FC4397C377F6AEF738BE56EAE91533849C82DF3BB9B1C395BA3F | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\WindowsStudio64[1].json | binary | |
MD5:0A2184EE920003AC68799EFE6F8E1F0E | SHA256:72A0B169EC6926BECF990C346F2590764B1752AF7974C0718DE07BFC2DAE913A | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\RobloxStudioLauncherBeta[1].exe | executable | |
MD5:B877A52CBDA1658AAD12F5FA87DC7909 | SHA256:CA2116FD21B8FC4397C377F6AEF738BE56EAE91533849C82DF3BB9B1C395BA3F | |||
| 664 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Temp\RBX-F0F11C5F.tmp | executable | |
MD5:B877A52CBDA1658AAD12F5FA87DC7909 | SHA256:CA2116FD21B8FC4397C377F6AEF738BE56EAE91533849C82DF3BB9B1C395BA3F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
55
DNS requests
33
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6480 | RUXIMICS.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6480 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 52.85.65.120:443 | https://setup.rbxcdn.com/version-a9a5d0b275a34ffb-rbxBootstrapperPkgManifest.txt | unknown | — | — | — |
— | — | GET | 200 | 23.48.23.156:443 | https://setup.rbxcdn.com/version-a9a5d0b275a34ffb-rbxInstallerPkgManifest.txt | unknown | — | — | — |
— | — | GET | — | 23.48.23.156:443 | https://setup.rbxcdn.com/version-a9a5d0b275a34ffb-RobloxApp.zip | unknown | — | — | — |
— | — | GET | 304 | 20.12.23.50:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
6480 | SIHClient.exe | GET | 200 | 23.48.23.194:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
6480 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
6480 | SIHClient.exe | GET | 200 | 23.48.23.194:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
6480 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6480 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.126.29.13:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6480 | RUXIMICS.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6544 | svchost.exe | 40.126.29.13:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6480 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
664 | RobloxPlayerLauncher.exe | 18.173.187.17:443 | clientsettingscdn.roblox.com | — | US | whitelisted |
664 | RobloxPlayerLauncher.exe | 128.116.5.3:443 | ephemeralcounters.api.roblox.com | ROBLOX-PRODUCTION | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
clientsettingscdn.roblox.com |
| whitelisted |
ephemeralcounters.api.roblox.com |
| whitelisted |
setup.rbxcdn.qq.com |
| whitelisted |
clientsettingscdn.roblox.qq.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO EXE - Served Inline HTTP |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable served from Amazon S3 |