File name:

Roblox-Player-win10.exe

Full analysis: https://app.any.run/tasks/63b37145-d597-492f-bb7f-fad0bd18460e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 29, 2024, 15:38:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F6CFC85691E5369C29C83408B938154

SHA1:

4F6A99703EDCF17745F10BCFF17B13A29BE5EAD5

SHA256:

89A009ED9F444004A3B789D423330275839FEBC20A66C78795AE10C18E238983

SSDEEP:

98304:hzC7cJrQTh1ry9zBWWdHlFP8//h0urXbtP2BD8+T3yH/7EHYMrM87zaGsHCORtHg:igPf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • Roblox-Player-win10.exe (PID: 1448)

    • Reads security settings of Internet Explorer

      • Roblox-Player-win10.exe (PID: 1448)

    • Executable content was dropped or overwritten

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 2180)

  • INFO

    • Create files in a temporary directory

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • Reads the computer name

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • Checks supported languages

      • Roblox-Player-win10.exe (PID: 1448)
      • KcRqluY.exe (PID: 5924)

    • The process uses the downloaded file

      • mshta.exe (PID: 2180)
      • Roblox-Player-win10.exe (PID: 1448)

    • Checks proxy server information

      • mshta.exe (PID: 2180)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2180)

    • Process checks computer location settings

      • Roblox-Player-win10.exe (PID: 1448)

    • Reads the machine GUID from the registry

      • KcRqluY.exe (PID: 5924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:08:16 11:05:43+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 48640
InitializedDataSize: 71680
UninitializedDataSize: -
EntryPoint: 0x912e
OSVersion: 5
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start roblox-player-win10.exe mshta.exe no specs kcrqluy.exe conhost.exe no specs roblox-player-win10.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1448"C:\Users\admin\Desktop\Roblox-Player-win10.exe" C:\Users\admin\Desktop\Roblox-Player-win10.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\roblox-player-win10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2180"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exeRoblox-Player-win10.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeKcRqluY.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3396"C:\Users\admin\Desktop\Roblox-Player-win10.exe" C:\Users\admin\Desktop\Roblox-Player-win10.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\roblox-player-win10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5924"C:\Users\admin\AppData\Local\Temp\RarSFX0\KcRqluY.exe" -O MwHFadC.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\KcRqluY.exe
mshta.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\kcrqluy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
3 433
Read events
3 428
Write events
5
Delete events
0

Modification events

(PID) Process:(1448) Roblox-Player-win10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids
Operation:writeName:htafile
Value:
(PID) Process:(2180) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2180) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2180) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
1
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\gtec.vbstext
MD5:87282D58520E73A0FE8DBAC0282A2858
SHA256:F8FC49235B7C4AF252DBDD52F6A6F2884CB93810790E4C828C161A94101B0BAC
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\gam-page.htmlhtml
MD5:260AD26EC3790D4097D4E041B8C57C61
SHA256:1A3DEE4210170A383E74D81014EF04425C52D3123F0757BAFFF49EB752EA8EBD
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\img\screen-003.pngimage
MD5:46A47C30741BA28E85005F117E36B99B
SHA256:CF946AA2BB04D162E295737DEF927EE57D30B35E659EDD1505D2E67925040A5D
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\anim.gifimage
MD5:7E62AEBA4E8BD8A4D1C5C33F1961DCDB
SHA256:BAD6F9186B0DBA551360CC446EEC00CEB73B244F635BF0D30BECF541E2C3F8CE
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\gtea.vbstext
MD5:E366D5FDC951E5D9834BB7BE646135CF
SHA256:466687CEF4C867B10B17086C4EF004465E3623E734D123E0E1BDBF698C0EB9B1
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\icon.icoimage
MD5:D0E3D3235536E56204EE528741D1B0B3
SHA256:05294F471BF25ECE0769A99E83405344A6A80F41A99620BF4D226580EC5819BA
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\gteb.vbstext
MD5:61B247072862E87AA9C44CA21CD0A089
SHA256:82BBC5E067DFA25D5E7DF3BB1584ED04D9CD3FDFC7A425FE7F55830E76748C86
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\img\logo-offer.pngimage
MD5:072679C20456E6B83EA3707A7C4E7B6F
SHA256:8A0087C2D38FA04F54E2F8A39310EB6FBDC8849C61A55AE235D4B121052A2E6A
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\icon.pngimage
MD5:D26F29F9F1AD2C636C15091FF4B0A372
SHA256:4ECE660F4319AAC01EBEC9598ED1295FAC9B19EFCFBC4F9CD0437D7F83C77D1F
1448Roblox-Player-win10.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\icons.zipcompressed
MD5:8E19D23C6D6FE77B8DF29A016BC949A9
SHA256:EB569E329EF77A425D7EC5E5CE36D4BEB1659E10DCA76731A863DBAE52DA1EBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
28
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3928
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
5.45.200.104:443
https://cachev2-fra-01.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=293
unknown
executable
203 Kb
whitelisted
GET
302
37.9.117.27:443
https://download.yandex.ru/yandex-pack/downloader/downloader.exe
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3928
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5924
KcRqluY.exe
5.45.205.243:443
download.yandex.ru
YANDEX LLC
RU
whitelisted
3928
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5924
KcRqluY.exe
5.45.200.104:443
cachev2-fra-01.cdn.yandex.net
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
download.yandex.ru
  • 5.45.205.243
  • 5.45.205.245
  • 5.45.205.244
  • 5.45.205.241
  • 5.45.205.242
whitelisted
cachev2-fra-01.cdn.yandex.net
  • 5.45.200.104
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Wget Request for Executable
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Roblox-Player-win10.exe