File name:

RobloxPlayerInstaller (1).exe

Full analysis: https://app.any.run/tasks/8007e8e8-8905-4d46-907c-1408ad250c80
Verdict: Malicious activity
Analysis date: November 11, 2023, 21:55:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

37EC55EEB0B04A839448FCFD2C6983A5

SHA1:

3BD81C304205C26F9F57743F3F28800616592E27

SHA256:

96417538D88966725792BA8C3EE0AB841EF60CC0F70213CEDBEF66612274176A

SSDEEP:

3072:lJ4FoXtrlqb/XCVj2DZZ+erOgZkSVKVHVVwpsWm8YaV2E8tPtTemUFN:la+lqb/yVQZtZrVKVHVV9s2btPQmUF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks for external IP

      • RobloxPlayerInstaller (1).exe (PID: 3128)

    • Reads the Internet Settings

      • RobloxPlayerInstaller (1).exe (PID: 3128)

  • INFO

    • Checks supported languages

      • RobloxPlayerInstaller (1).exe (PID: 3128)
      • wmpnscfg.exe (PID: 3216)
      • wmpnscfg.exe (PID: 3688)

    • Reads the computer name

      • RobloxPlayerInstaller (1).exe (PID: 3128)
      • wmpnscfg.exe (PID: 3216)
      • wmpnscfg.exe (PID: 3688)

    • Reads Environment values

      • RobloxPlayerInstaller (1).exe (PID: 3128)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3216)
      • wmpnscfg.exe (PID: 3688)

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller (1).exe (PID: 3128)
      • wmpnscfg.exe (PID: 3216)
      • wmpnscfg.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:11 22:40:43+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 77312
InitializedDataSize: 84992
UninitializedDataSize: -
EntryPoint: 0x14d6e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.6.0.56855
ProductVersionNumber: 1.6.0.56855
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1.6.0.56855
InternalName: RobloxPlayerInstaller.exe
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: RobloxPlayerInstaller.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1.6.0.56855
AssemblyVersion: 1.6.0.56855
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start robloxplayerinstaller (1).exe wmpnscfg.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\AppData\Local\Temp\RobloxPlayerInstaller (1).exe" C:\Users\admin\AppData\Local\Temp\RobloxPlayerInstaller (1).exe
explorer.exe
User:
admin
Company:
Roblox Corporation
Integrity Level:
MEDIUM
Description:
Roblox
Exit code:
2148734499
Version:
1.6.0.56855
Modules
Images
c:\users\admin\appdata\local\temp\robloxplayerinstaller (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3216"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3688"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
548
Read events
540
Write events
0
Delete events
8

Modification events

(PID) Process:(3216) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{AAFF7D8C-9953-440B-BC8D-25897F0A43CA}\{E8689C6B-A012-4A89-89AF-141535BA2010}
Operation:delete keyName:(default)
Value:
(PID) Process:(3216) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{AAFF7D8C-9953-440B-BC8D-25897F0A43CA}
Operation:delete keyName:(default)
Value:
(PID) Process:(3216) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{531F5BF2-C7AB-4BA3-8F69-E85FB837A9DC}
Operation:delete keyName:(default)
Value:
(PID) Process:(3688) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{AAFF7D8C-9953-440B-BC8D-25897F0A43CA}\{A204288F-F5B3-4DA1-AF1C-75DB0A602F27}
Operation:delete keyName:(default)
Value:
(PID) Process:(3688) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{AAFF7D8C-9953-440B-BC8D-25897F0A43CA}
Operation:delete keyName:(default)
Value:
(PID) Process:(3688) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{EE793D07-639C-422E-AFD7-0E464A23C172}\{A204288F-F5B3-4DA1-AF1C-75DB0A602F27}
Operation:delete keyName:(default)
Value:
(PID) Process:(3688) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{EE793D07-639C-422E-AFD7-0E464A23C172}
Operation:delete keyName:(default)
Value:
(PID) Process:(3688) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{5D4F4A2A-30C8-41EB-BCF5-2605B03DAE02}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3128
RobloxPlayerInstaller (1).exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
5 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3128
RobloxPlayerInstaller (1).exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
3128
RobloxPlayerInstaller (1).exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3128
RobloxPlayerInstaller (1).exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3128
RobloxPlayerInstaller (1).exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
Process
Message
RobloxPlayerInstaller (1).exe
CLR: Managed code called FailFast without specifying a reason.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller (1).exe