Malware analysis RobloxPlayerInstaller-7MQ7FCYYYB.exe Malicious activity

Add for printing

File name:	RobloxPlayerInstaller-7MQ7FCYYYB.exe
Full analysis:	https://app.any.run/tasks/23e9a54e-3d9b-487a-b4eb-5e2f39d06252
Verdict:	Malicious activity
Analysis date:	May 29, 2025, 19:16:06
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	roblox discord phishing delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	6EA9B4E01182ADF7F8F4409490CF77A6
SHA1:	06E39D7DB8A79851B1828BA41551DF15AB99A7FC
SHA256:	99BB1F15FFD140E36CB26DFDD2487694C88A94C79FD73DB10DBB95101617F058
SSDEEP:	98304:Ms0n0RHraOWfrfceEqOdjMdiZgGwxU6KGR3GWjJS2U4g3J1YUtQpCU0r6Sj2kIeG:29hR+Js

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - MicrosoftEdgeUpdate.exe (PID: 7920)
- PHISHING has been detected (SURICATA)
  - Noxic App.exe (PID: 2284)
SUSPICIOUS
- Executable content was dropped or overwritten
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - MicrosoftEdgeWebview2Setup.exe (PID: 7896)
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - setup.exe (PID: 8644)
  - MicrosoftEdge_X64_137.0.3296.52.exe (PID: 6824)
  - Noxic.exe (PID: 3192)
  - RobloxPlayerBeta.exe (PID: 2192)
  - RobloxPlayerBeta.exe (PID: 5164)
- Changes default file association
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
- Starts a Microsoft application from unusual location
  - MicrosoftEdgeUpdate.exe (PID: 7920)
- Process drops legitimate windows executable
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - MicrosoftEdgeWebview2Setup.exe (PID: 7896)
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - setup.exe (PID: 8644)
  - Noxic.exe (PID: 3192)
- The process drops C-runtime libraries
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 7920)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8008)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7980)
  - MicrosoftEdgeUpdate.exe (PID: 7956)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8036)
- Reads security settings of Internet Explorer
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
- Application launched itself
  - setup.exe (PID: 8644)
  - setup.exe (PID: 8448)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
  - Noxic App.exe (PID: 5056)
  - Noxic App.exe (PID: 5796)
- Searches for installed software
  - setup.exe (PID: 8644)
- Creates a software uninstall entry
  - setup.exe (PID: 8644)
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
- Executes application which crashes
  - RobloxPlayerBeta.exe (PID: 2192)
  - RobloxPlayerBeta.exe (PID: 5164)
- There is functionality for taking screenshot (YARA)
  - Noxic.exe (PID: 3192)
INFO
- The sample compiled with english language support
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - MicrosoftEdgeWebview2Setup.exe (PID: 7896)
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - setup.exe (PID: 8644)
  - Noxic.exe (PID: 3192)
- Process checks whether UAC notifications are on
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
- ROBLOX mutex has been found
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
- Checks supported languages
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - MicrosoftEdgeWebview2Setup.exe (PID: 7896)
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - MicrosoftEdgeUpdate.exe (PID: 7956)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7980)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8008)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8036)
  - MicrosoftEdgeUpdate.exe (PID: 8092)
  - MicrosoftEdgeUpdate.exe (PID: 8132)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
  - identity_helper.exe (PID: 5164)
  - MicrosoftEdge_X64_137.0.3296.52.exe (PID: 6824)
  - setup.exe (PID: 8644)
  - setup.exe (PID: 8448)
  - setup.exe (PID: 8660)
  - setup.exe (PID: 8608)
  - RobloxPlayerBeta.exe (PID: 2192)
  - MicrosoftEdgeUpdate.exe (PID: 7280)
- Reads the computer name
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - MicrosoftEdgeUpdate.exe (PID: 7956)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7980)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8008)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8036)
  - MicrosoftEdgeUpdate.exe (PID: 8092)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
  - MicrosoftEdgeUpdate.exe (PID: 8132)
  - identity_helper.exe (PID: 5164)
  - MicrosoftEdge_X64_137.0.3296.52.exe (PID: 6824)
  - setup.exe (PID: 8644)
  - setup.exe (PID: 8448)
  - MicrosoftEdgeUpdate.exe (PID: 7280)
- Create files in a temporary directory
  - MicrosoftEdgeWebview2Setup.exe (PID: 7896)
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
- Creates files or folders in the user directory
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
  - MicrosoftEdge_X64_137.0.3296.52.exe (PID: 6824)
  - setup.exe (PID: 8660)
  - setup.exe (PID: 8644)
  - setup.exe (PID: 8448)
- Reads the machine GUID from the registry
  - RobloxPlayerInstaller-7MQ7FCYYYB.exe (PID: 7428)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
- Launch of the file from Registry key
  - MicrosoftEdgeUpdate.exe (PID: 7920)
- Checks proxy server information
  - MicrosoftEdgeUpdate.exe (PID: 8092)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
  - MicrosoftEdgeUpdate.exe (PID: 7280)
- Reads Environment values
  - MicrosoftEdgeUpdate.exe (PID: 8092)
  - identity_helper.exe (PID: 5164)
  - MicrosoftEdgeUpdate.exe (PID: 7280)
- Process checks computer location settings
  - MicrosoftEdgeUpdate.exe (PID: 7920)
  - setup.exe (PID: 8644)
- Reads the software policy settings
  - MicrosoftEdgeUpdate.exe (PID: 8092)
  - MicrosoftEdgeUpdate.exe (PID: 8172)
  - MicrosoftEdgeUpdate.exe (PID: 7280)
  - slui.exe (PID: 7540)
- Manual execution by a user
  - msedge.exe (PID: 684)
  - Noxic.exe (PID: 3192)
  - Noxic App.exe (PID: 5796)
  - RobloxPlayerBeta.exe (PID: 5164)
- Application launched itself
  - msedge.exe (PID: 684)
  - msedge.exe (PID: 5552)
- Attempting to use instant messaging service
  - msedge.exe (PID: 7052)
- Compiled with Borland Delphi (YARA)
  - slui.exe (PID: 6392)
  - Noxic.exe (PID: 3192)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 8004)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1983:12:29 01:51:34+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	5692416
InitializedDataSize:	2106368
UninitializedDataSize:	-
EntryPoint:	0x509e65
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.6.0.507
ProductVersionNumber:	1.6.0.507
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Roblox Corporation
FileDescription:	Roblox
FileVersion:	1, 6, 0, 6750715
LegalCopyright:	Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName:	Roblox.exe
ProductName:	Roblox Bootstrapper
ProductVersion:	1, 6, 0, 6750715

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

280

Monitored processes

136

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5452 --field-trial-handle=2136,i,15922847461173001445,2372740238279550862,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

516

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6540 --field-trial-handle=2292,i,11484197902993261800,18225436234540447243,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=9024 --field-trial-handle=2292,i,11484197902993261800,18225436234540447243,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

672

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=9180 --field-trial-handle=2292,i,11484197902993261800,18225436234540447243,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

684

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

732

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7ffc89825fd8,0x7ffc89825fe4,0x7ffc89825ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

968

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5208 --field-trial-handle=2292,i,11484197902993261800,18225436234540447243,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1760

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2288 --field-trial-handle=2292,i,11484197902993261800,18225436234540447243,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2092

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3704 --field-trial-handle=2292,i,11484197902993261800,18225436234540447243,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2192

"C:\Users\admin\AppData\Local\Roblox\Versions\version-ad3ee47cdc5e44f6\RobloxPlayerBeta.exe" -app -installerLaunchTimeEpochMs 0 -clientLaunchTimeEpochMs 0 -isInstallerLaunch 7428

C:\Users\admin\AppData\Local\Roblox\Versions\version-ad3ee47cdc5e44f6\RobloxPlayerBeta.exe

RobloxPlayerInstaller-7MQ7FCYYYB.exe

User:

admin

Company:

Roblox Corporation

Integrity Level:

MEDIUM

Description:

Roblox Game Client

Exit code:

3221225477

Version:

0, 675, 0, 6750715

Modules

Images
c:\users\admin\appdata\local\roblox\versions\version-ad3ee47cdc5e44f6\robloxplayerbeta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\roblox\versions\version-ad3ee47cdc5e44f6\robloxplayerbeta.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

Add for printing

Total events

31 661

Read events

29 823

Write events

1 699

Delete events

139

Modification events


(PID) Process:	(7428) RobloxPlayerInstaller-7MQ7FCYYYB.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:	write	Name:	WarnOnOpen
Value: 0
(PID) Process:	(7428) RobloxPlayerInstaller-7MQ7FCYYYB.exe	Key:	HKEY_CLASSES_ROOT\roblox-studio
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(7428) RobloxPlayerInstaller-7MQ7FCYYYB.exe	Key:	HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:	write	Name:	version
Value: version-d9df23078b8e4749
(PID) Process:	(7920) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	delete value	Name:	eulaaccepted
Value:
(PID) Process:	(7956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(7956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{5EA43877-C6D8-4885-B77A-C0BB27E94372}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(7956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{D3E6ADD1-CFF8-465D-B996-174FF76B89D4}\InprocHandler32
Operation:	write	Name:	ThreadingModel
Value: Both
(PID) Process:	(7956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7956) MicrosoftEdgeUpdate.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{5EA43877-C6D8-4885-B77A-C0BB27E94372}\InprocServer32
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

275

Suspicious files

1 125

Text files

240

Unknown types

Dropped files

PID	Process	Filename		Type
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\f62f7d645c32934c6f4bf3cfd9de4562		—
		MD5:—	SHA256:—
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\logs\cacert.pem		text
		MD5:010D6ED950BB45C06D69F823689D38A0	SHA256:560370CC311311DCA9F459668C820BAEB3177C99744A5810A254F1F72EA47E72
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\4350aaa5c4eb7dd63fb86b1acde58ed0		compressed
		MD5:4350AAA5C4EB7DD63FB86B1ACDE58ED0	SHA256:506A1482F56D8DBECE216D19BD100C71D1B65ED486C9AEC84043A6E70157D65A
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\a36b77316d3394b7fb734ed7ceb5a0c2		compressed
		MD5:A36B77316D3394B7FB734ED7CEB5A0C2	SHA256:85A1D23E0CE1A19CD35D2690A076BE26A43D7D59F6FDDBBE3A28377C44BD3ACC
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exe		executable
		MD5:54C52F1E03AE51FA667FE52AA9097539	SHA256:527AF50E97815DFBFE02F26B7F19787E9368DD0329BBB1970973BBE424EA89FE
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\8bd85f4e8e0f8904501eb60e6f3bf7ee		compressed
		MD5:8BD85F4E8E0F8904501EB60E6F3BF7EE	SHA256:2E01FCA8EA0CDFCB1E6962AE9A8DC8FAB9241441E2568D812AAD9A11E1BFF57B
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\5fe3ebab23de62304fae1a8d19ab7afe		compressed
		MD5:5FE3EBAB23DE62304FAE1A8D19AB7AFE	SHA256:727624F8059AEC7DD22E4C39F0D31D7A36DD6CFFD557E33DEB83832459D01BF4
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\c9622ecfbec2c14d30f390909c563124		compressed
		MD5:C9622ECFBEC2C14D30F390909C563124	SHA256:AC39EF36DD53C77C687DBA333B3C15520E07D15B6D5ACCDD6FD97722E5541E54
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnk		binary
		MD5:4F50D1E342639DC492810BD8CF49D970	SHA256:A8E77BD83ADC92F5D8DFB7C9AE1C63F9DBEACDA98E94494900BEFE023BBDA880
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	C:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\1d0390337d1a4a58e5514be1a9481ad6		compressed
		MD5:1D0390337D1A4A58E5514BE1A9481AD6	SHA256:C79F0EEB2BCA4905C585C50333DB3C6F727A554F5DB82E64948F93668FBC18AA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

317

DNS requests

428

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1284	svchost.exe	HEAD	200	199.232.210.172:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/374973f4-2935-4802-a6ad-3efbd5eaded0?P1=1749150987&P2=404&P3=2&P4=TG%2fwryIDV3AWhD57IOSPm76NocmicR3%2fdT9RiqrOq9AGnU3XnwS1TrQokh36LkWrMh571MCBY4SiSQx8%2bWJRVA%3d%3d	unknown	—	—	whitelisted
1284	svchost.exe	GET	—	199.232.210.172:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/374973f4-2935-4802-a6ad-3efbd5eaded0?P1=1749150987&P2=404&P3=2&P4=TG%2fwryIDV3AWhD57IOSPm76NocmicR3%2fdT9RiqrOq9AGnU3XnwS1TrQokh36LkWrMh571MCBY4SiSQx8%2bWJRVA%3d%3d	unknown	—	—	whitelisted
3192	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3192	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1284	svchost.exe	HEAD	200	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1748975639&P2=404&P3=2&P4=JjlGU8RbgE4ZNZxH6Tq4mMkiOMxly4KQNhMBr04%2b0uUggVlUak6P1kOkps3NqAm%2fO3U0UaLjdqXYLy%2ftJhLzQw%3d%3d	unknown	—	—	whitelisted
1284	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1748975639&P2=404&P3=2&P4=JjlGU8RbgE4ZNZxH6Tq4mMkiOMxly4KQNhMBr04%2b0uUggVlUak6P1kOkps3NqAm%2fO3U0UaLjdqXYLy%2ftJhLzQw%3d%3d	unknown	—	—	whitelisted
1284	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1748975639&P2=404&P3=2&P4=JjlGU8RbgE4ZNZxH6Tq4mMkiOMxly4KQNhMBr04%2b0uUggVlUak6P1kOkps3NqAm%2fO3U0UaLjdqXYLy%2ftJhLzQw%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4784	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.32.238.34:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5796	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	128.116.5.3:443	ecsv2.roblox.com	ROBLOX-PRODUCTION	US	whitelisted
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	23.45.109.46:443	clientsettingscdn.roblox.com	AKAMAI-AS	DE	whitelisted
7428	RobloxPlayerInstaller-7MQ7FCYYYB.exe	18.245.31.60:443	setup.rbxcdn.com	—	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.46	whitelisted
crl.microsoft.com	23.32.238.34 2.19.198.194	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
ecsv2.roblox.com	128.116.5.3	whitelisted
clientsettingscdn.roblox.com	23.45.109.46	whitelisted
apis.roblox.com	128.116.5.3	whitelisted
setup.rbxcdn.com	18.245.31.60 18.245.31.48 18.245.31.125 18.245.31.44	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.250	whitelisted
login.live.com	20.190.159.2 40.126.31.130 40.126.31.131 20.190.159.71 20.190.159.130 40.126.31.0 20.190.159.73 40.126.31.73	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted

Threats

PID	Process	Class	Message
1284	svchost.exe	Misc activity	ET INFO Packed Executable Download
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
7052	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7052	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)

Add for printing

No debug info

General Info

RobloxPlayerInstaller-7MQ7FCYYYB.exe

6EA9B4E01182ADF7F8F4409490CF77A6

06E39D7DB8A79851B1828BA41551DF15AB99A7FC

99BB1F15FFD140E36CB26DFDD2487694C88A94C79FD73DB10DBB95101617F058

98304:Ms0n0RHraOWfrfceEqOdjMdiZgGwxU6KGR3GWjJS2U4g3J1YUtQpCU0r6Sj2kIeG:29hR+Js

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

PHISHING has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Changes default file association

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts itself from another location

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

Application launched itself

Searches for installed software

Creates a software uninstall entry

Executes application which crashes

There is functionality for taking screenshot (YARA)

INFO

The sample compiled with english language support

Process checks whether UAC notifications are on

ROBLOX mutex has been found

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files or folders in the user directory

Reads the machine GUID from the registry

Launch of the file from Registry key

Checks proxy server information

Reads Environment values

Process checks computer location settings

Reads the software policy settings

Manual execution by a user

Application launched itself

Attempting to use instant messaging service

Compiled with Borland Delphi (YARA)

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity