URL:

https://github.com/javaismyspecialty/RobloxTool/blob/main/RBLXTOOL.exe

Full analysis: https://app.any.run/tasks/3f570dd6-237c-431c-aff7-b59d4bc48c77
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 13, 2024, 13:41:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
evasion
discord
python
discordgrabber
generic
stealer
upx
pastebin
Indicators:
MD5:

A5BFE4039EB226E9E244D76C369BAC76

SHA1:

0E758CC646732F78E707F39D362A729A03A532CF

SHA256:

7477E81903C58D870CB9637DC63F83FDFA79A1D2605BA7A67EE40F3C7B83A91F

SSDEEP:

3:N8tEd/UibEb4KmK9ER5TRHn:2uLbHKHsNR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • processhacker-2.39-setup.exe (PID: 1544)
      • processhacker-2.39-setup.exe (PID: 2912)
      • processhacker-2.39-setup.tmp (PID: 6716)
      • RBLXTOOL.exe (PID: 2220)
      • RBLXTOOL.exe (PID: 4536)

    • Actions looks like stealing of personal data

      • RBLXTOOL.exe (PID: 4536)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6368)

    • DISCORDGRABBER has been detected (YARA)

      • ProcessHacker.exe (PID: 6764)
      • RBLXTOOL.exe (PID: 4536)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • processhacker-2.39-setup.exe (PID: 1544)
      • processhacker-2.39-setup.exe (PID: 2912)
      • processhacker-2.39-setup.tmp (PID: 6716)
      • RBLXTOOL.exe (PID: 2220)
      • RBLXTOOL.exe (PID: 4536)

    • Reads security settings of Internet Explorer

      • processhacker-2.39-setup.tmp (PID: 6996)
      • ProcessHacker.exe (PID: 7312)
      • ProcessHacker.exe (PID: 8076)
      • ProcessHacker.exe (PID: 6764)

    • Reads the date of Windows installation

      • processhacker-2.39-setup.tmp (PID: 6996)

    • Process drops legitimate windows executable

      • processhacker-2.39-setup.tmp (PID: 6716)
      • RBLXTOOL.exe (PID: 2220)

    • Reads the Windows owner or organization settings

      • processhacker-2.39-setup.tmp (PID: 6716)

    • Drops a system driver (possible attempt to evade defenses)

      • processhacker-2.39-setup.tmp (PID: 6716)

    • Checks Windows Trust Settings

      • ProcessHacker.exe (PID: 7312)
      • ProcessHacker.exe (PID: 8076)
      • ProcessHacker.exe (PID: 6764)

    • Process drops python dynamic module

      • RBLXTOOL.exe (PID: 2220)

    • The process drops C-runtime libraries

      • RBLXTOOL.exe (PID: 2220)

    • Application launched itself

      • RBLXTOOL.exe (PID: 2220)

    • Loads Python modules

      • RBLXTOOL.exe (PID: 4536)

    • Starts CMD.EXE for commands execution

      • RBLXTOOL.exe (PID: 4536)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 7184)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1972)
      • WMIC.exe (PID: 2456)

    • Executing commands from a ".bat" file

      • RBLXTOOL.exe (PID: 4536)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7176)
      • cmd.exe (PID: 6172)

    • There is functionality for taking screenshot (YARA)

      • RBLXTOOL.exe (PID: 4536)

  • INFO

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2208)
      • firefox.exe (PID: 2832)

    • Drops the executable file immediately after the start

      • chrome.exe (PID: 2208)
      • firefox.exe (PID: 2832)

    • Application launched itself

      • chrome.exe (PID: 2208)
      • firefox.exe (PID: 2832)
      • firefox.exe (PID: 2140)

    • The process uses the downloaded file

      • chrome.exe (PID: 780)
      • chrome.exe (PID: 836)
      • chrome.exe (PID: 2208)

    • Checks supported languages

      • processhacker-2.39-setup.tmp (PID: 6996)
      • processhacker-2.39-setup.exe (PID: 1544)
      • processhacker-2.39-setup.exe (PID: 2912)
      • processhacker-2.39-setup.tmp (PID: 6716)
      • ProcessHacker.exe (PID: 7312)
      • ProcessHacker.exe (PID: 8076)
      • RBLXTOOL.exe (PID: 2220)
      • RBLXTOOL.exe (PID: 4536)
      • ProcessHacker.exe (PID: 6764)

    • Create files in a temporary directory

      • processhacker-2.39-setup.exe (PID: 1544)
      • processhacker-2.39-setup.exe (PID: 2912)
      • processhacker-2.39-setup.tmp (PID: 6716)
      • RBLXTOOL.exe (PID: 2220)
      • RBLXTOOL.exe (PID: 4536)

    • Reads the computer name

      • processhacker-2.39-setup.tmp (PID: 6996)
      • processhacker-2.39-setup.tmp (PID: 6716)
      • ProcessHacker.exe (PID: 7312)
      • ProcessHacker.exe (PID: 8076)
      • RBLXTOOL.exe (PID: 2220)
      • RBLXTOOL.exe (PID: 4536)
      • ProcessHacker.exe (PID: 6764)

    • Process checks computer location settings

      • processhacker-2.39-setup.tmp (PID: 6996)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 2208)
      • firefox.exe (PID: 2832)

    • Creates a software uninstall entry

      • processhacker-2.39-setup.tmp (PID: 6716)

    • Creates files in the program directory

      • processhacker-2.39-setup.tmp (PID: 6716)

    • Reads the machine GUID from the registry

      • ProcessHacker.exe (PID: 7312)
      • ProcessHacker.exe (PID: 8076)
      • RBLXTOOL.exe (PID: 4536)
      • ProcessHacker.exe (PID: 6764)

    • Reads Environment values

      • ProcessHacker.exe (PID: 7312)

    • Reads the software policy settings

      • ProcessHacker.exe (PID: 7312)
      • ProcessHacker.exe (PID: 8076)
      • ProcessHacker.exe (PID: 6764)

    • Checks proxy server information

      • ProcessHacker.exe (PID: 7312)
      • RBLXTOOL.exe (PID: 4536)

    • Creates files or folders in the user directory

      • ProcessHacker.exe (PID: 7312)
      • RBLXTOOL.exe (PID: 4536)

    • Manual execution by a user

      • ProcessHacker.exe (PID: 8076)
      • RBLXTOOL.exe (PID: 2220)
      • ProcessHacker.exe (PID: 6764)
      • firefox.exe (PID: 2140)

    • Checks operating system version

      • RBLXTOOL.exe (PID: 4536)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1972)
      • WMIC.exe (PID: 2456)

    • Attempting to use instant messaging service

      • RBLXTOOL.exe (PID: 4536)
      • firefox.exe (PID: 2832)

    • UPX packer has been detected

      • RBLXTOOL.exe (PID: 4536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
79
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs processhacker-2.39-setup.exe processhacker-2.39-setup.tmp no specs processhacker-2.39-setup.exe processhacker-2.39-setup.tmp processhacker.exe processhacker.exe no specs rblxtool.exe #DISCORDGRABBER rblxtool.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs #DISCORDGRABBER processhacker.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5796 --field-trial-handle=2016,i,4376668394404792050,5715957340603625080,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
780"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6716 --field-trial-handle=2016,i,4376668394404792050,5715957340603625080,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
836"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5288 --field-trial-handle=2016,i,4376668394404792050,5715957340603625080,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
916"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5588 --field-trial-handle=2016,i,4376668394404792050,5715957340603625080,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
992"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7920 -childID 10 -isForBrowser -prefsHandle 7768 -prefMapHandle 7800 -prefsLen 31978 -prefMapSize 244343 -jsInitHandle 1248 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd3df5c-6b08-441b-8afa-f6b695898040} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 1a116855bd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5604 --field-trial-handle=2016,i,4376668394404792050,5715957340603625080,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1348C:\WINDOWS\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"C:\Windows\System32\cmd.exeRBLXTOOL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1452"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5252 --field-trial-handle=2016,i,4376668394404792050,5715957340603625080,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1544"C:\Users\admin\Downloads\processhacker-2.39-setup.exe" C:\Users\admin\Downloads\processhacker-2.39-setup.exe
chrome.exe
User:
admin
Company:
wj32
Integrity Level:
MEDIUM
Description:
Process Hacker Setup
Exit code:
0
Version:
2.39 (r124)
Modules
Images
c:\users\admin\downloads\processhacker-2.39-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1648"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8832 -childID 16 -isForBrowser -prefsHandle 8652 -prefMapHandle 8556 -prefsLen 31978 -prefMapSize 244343 -jsInitHandle 1248 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6fca734-cdea-4769-801a-1834e5f3b9b9} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" 1a118afc850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
66 929
Read events
66 810
Write events
110
Delete events
9

Modification events

(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2208) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2208) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
140
Suspicious files
289
Text files
103
Unknown types
12

Dropped files

PID
Process
Filename
Type
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF1ce8f0.TMP
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1ce8f0.TMP
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2208chrome.exeC:\USERS\ADMIN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\LAST VERSIONtext
MD5:FCE53E052E5CF7C20819320F374DEA88
SHA256:CD95DE277E746E92CC2C53D9FC92A8F6F0C3EDFB7F1AD9A4E9259F927065BC89
2208chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF1ce8d1.TMPtext
MD5:139F545948FC1F10256A27E3C2CEF062
SHA256:9399CC6F9C335015E086DB37208B1816A7831221A005B04AC83C4F86CC04230D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
106
TCP/UDP connections
444
DNS requests
544
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1928
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1928
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3656
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6600
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6716
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6588
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6716
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2208
chrome.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEALE0eWKSmgMVo2jBH5%2BTV8%3D
unknown
whitelisted
3088
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/gb5app3orhwsqeqgujyfjg4vde_1014/efniojlnjndmcbiieegkicadnoecjjef_1014_all_dv53bz3fo3qdoiffh7yicsooxa.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2196
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1928
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1928
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2340
chrome.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
2208
chrome.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.206
whitelisted
github.com
  • 140.82.121.3
shared
accounts.google.com
  • 172.217.218.84
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.155
  • 104.126.37.171
  • 104.126.37.139
  • 104.126.37.178
  • 104.126.37.184
  • 104.126.37.161
  • 104.126.37.153
  • 104.126.37.146
  • 104.126.37.162
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.170
  • 104.126.37.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.140
whitelisted
github.githubassets.com
  • 185.199.110.154
  • 185.199.111.154
  • 185.199.108.154
  • 185.199.109.154
whitelisted

Threats

PID
Process
Class
Message
2340
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2340
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2340
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
2340
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to newrelic .com
2168
svchost.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
2168
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4536
RBLXTOOL.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2168
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2168
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2168
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/javaismyspecialty/RobloxTool/blob/main/RBLXTOOL.exe