File name:

roblox.exe

Full analysis: https://app.any.run/tasks/39b7700e-04bd-4ac4-b376-ac21613af6c0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 09, 2025, 14:15:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
arch-scr
arch-exec
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

93CC28BFF51A677298618FA83BC6D3C0

SHA1:

1EBE43E0025F7B2D0CE29FB2CDA02329E8B435CB

SHA256:

ABE0149F9D65062AB9CF54B3B1AA68B563F136CC0BBA153C7C20DDC5AFADBD5C

SSDEEP:

98304:4Ks0EfVu0Gs1/tlr21A+zm10QJ5aSeokFFQVwVPq7tvBI0emK8BL7NZ0LD9ClJMX:ZcWs4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Changes default file association

      • roblox.exe (PID: 6404)

    • The process drops C-runtime libraries

      • roblox.exe (PID: 6404)

    • Executable content was dropped or overwritten

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 5592)
      • setup.exe (PID: 5912)
      • RobloxPlayerBeta.exe (PID: 5400)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1596)

    • Process drops legitimate windows executable

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 5592)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1596)
      • setup.exe (PID: 5912)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 5592)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5592)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6804)

    • Application launched itself

      • setup.exe (PID: 5912)
      • MicrosoftEdgeUpdate.exe (PID: 6636)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 4264)

  • INFO

    • Checks supported languages

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeUpdate.exe (PID: 4264)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)

    • The sample compiled with english language support

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 5592)
      • setup.exe (PID: 5912)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1596)
      • svchost.exe (PID: 6804)

    • Sends debugging messages

      • roblox.exe (PID: 6404)
      • RobloxPlayerBeta.exe (PID: 5400)

    • Creates files or folders in the user directory

      • roblox.exe (PID: 6404)

    • Reads the machine GUID from the registry

      • roblox.exe (PID: 6404)

    • Create files in a temporary directory

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)

    • Reads the computer name

      • MicrosoftEdgeUpdate.exe (PID: 4264)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2055:03:08 02:55:24+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 3254272
InitializedDataSize: 1503744
UninitializedDataSize: -
EntryPoint: 0x2ca960
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.1.61075
ProductVersionNumber: 1.6.1.61075
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 1, 6090387
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 1, 6090387
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
19
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start roblox.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe microsoftedge_x64_131.0.2903.112.exe setup.exe setup.exe no specs microsoftedgeupdate.exe robloxplayerbeta.exe robloxcrashhandler.exe no specs gamebarpresencewriter.exe no specs gamebar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Q0E1RkRGMDYtNjUyNC00RUIzLTk0QUQtMTY0MDMyMDIwMkYwfSIgdXNlcmlkPSJ7NjZFQjQyRDItNDBGMS00NzA2LTk4NzYtMjcxNDExQjVGOEQ0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1RjJGNzc4NS1GODhBLTQ3NzMtQTg3Ny0zNDlDQjU2Njg3N0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMxNzQ4OTU5MjYiIGluc3RhbGxfdGltZV9tcz0iNTQzIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1020"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServerC:\Windows\System32\GameBarPresenceWriter.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Gamebar Presence Writer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\gamebarpresencewriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1596"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{BA322059-12F8-4371-BEB6-EEE7EC6F1D03}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{BA322059-12F8-4371-BEB6-EEE7EC6F1D03}\MicrosoftEdge_X64_131.0.2903.112.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.112
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{ba322059-12f8-4371-beb6-eee7ec6f1d03}\microsoftedge_x64_131.0.2903.112.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2280C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\\RobloxCrashHandler.exe --no-rate-limit --crashCounter Win-ROBLOXPlayer-Crash --baseUrl http://www.roblox.com/ --attachment=attachment_0.655.0.6551095_20250109T141745Z_Player_9A9A1_last.log=C:\Users\admin\AppData\Local\Roblox\logs\0.655.0.6551095_20250109T141745Z_Player_9A9A1_last.log --database=C:\Users\admin\AppData\Local\Roblox\logs\crashes --metrics-dir=C:\Users\admin\AppData\Local\Roblox\logs\crashes --url=https://upload.crashes.rbxinfra.com/post?format=minidump --annotation=AppVersion=0.655.0.6551095 --annotation=BaseUrl=http://www.roblox.com/ "--annotation=CPUMake=Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz" --annotation=Format=minidump --annotation=OSPlatform=Win32 "--annotation=OSVersion=Windows 10 - PlatformId 2, Version 10.0, Build 19045" --annotation=PlatformId=2 --annotation=RobloxChannel=production --annotation=RobloxGitHash=1e939d01ed66ec75a2357d431e693416a498f1e0 --annotation=RobloxProduct=RobloxPlayer --annotation=TotalMemory=4289146880 --annotation=UniqueId=8748771356128138104 --annotation=UploadAttachmentKiloByteLimit=1000 --annotation=UseCrashpad=True --initial-client-data=0x8b8,0x8bc,0x890,0x690,0x6d8,0x7ff7368c3d88,0x7ff7368c3da0,0x7ff7368c3db8C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\RobloxCrashHandler.exeRobloxPlayerBeta.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\roblox\versions\version-37cf60402a5648b4\robloxcrashhandler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\user32.dll
3080"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{CA5FDF06-6524-4EB3-94AD-1640320202F0}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3816"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4264"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4640"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4984"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Q0E1RkRGMDYtNjUyNC00RUIzLTk0QUQtMTY0MDMyMDIwMkYwfSIgdXNlcmlkPSJ7NjZFQjQyRDItNDBGMS00NzA2LTk4NzYtMjcxNDExQjVGOEQ0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyOTY2NkZGNC04NUQ3LTQzM0UtQTBGQy1EOTdDQkVGN0NBQzN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjExMiIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzE4OTU5MDYxOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMTg5NjcxMTY0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM2MDQ3Mzg5MjMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzdkOWNkOTNjLTFkNWUtNDQ5Yi05YWQ3LWYxZThkNmI5MDUwOT9QMT0xNzM3MDM2OTc4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVpvUk5ZcGdmZjBzaVhMeDlDNGtaTllpdFhPcktGM1EzdElybHFLeUZGdVhacTdNUEJ4NTNWMUZXUFlyZXhoT29kZW9PUlUzR2xPOCUyYlN5N0dUUmd5N2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzY4NzA5NzYiIHRvdGFsPSIxNzY4NzA5NzYiIGRvd25sb2FkX3RpbWVfbXM9IjM2ODE1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM2MDQ5MTU1ODgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzYyOTk3NTczNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQwMTg4ODEzOTEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI5NTQiIGRvd25sb2FkX3RpbWVfbXM9IjQxNTE4IiBkb3dubG9hZGVkPSIxNzY4NzA5NzYiIHRvdGFsPSIxNzY4NzA5NzYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjM4ODg1Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
5032MicrosoftEdgeWebview2Setup.exe /silent /installC:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
roblox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\roblox\versions\version-37cf60402a5648b4\webview2runtimeinstaller\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
26 525
Read events
23 967
Write events
2 491
Delete events
67

Modification events

(PID) Process:(6404) roblox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6404) roblox.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6404) roblox.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-d7ec89f14d9e47ce
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:path
Value:
C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:UninstallCmdLine
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:name
Value:
Microsoft Edge Update
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft Edge Update
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateCore.exe"
Executable files
208
Suspicious files
43
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exeexecutable
MD5:673F7C90ED7046C1403B3EF6D77A706C
SHA256:BBDF25DEE8C741B498E59F8588E2A64C73B012D632B033A5E7C74290F12D3A34
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:452E60869EB88DDF57579B4F0211ED7C
SHA256:489B7CA945DE8B0C980085A83BE5D74BF33E60EA9857E70B22D78B078EC847A0
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\1d0390337d1a4a58e5514be1a9481ad6compressed
MD5:1D0390337D1A4A58E5514BE1A9481AD6
SHA256:C79F0EEB2BCA4905C585C50333DB3C6F727A554F5DB82E64948F93668FBC18AA
6404roblox.exeC:\Users\admin\Desktop\Roblox Studio.lnklnk
MD5:F58823334CFFA38907754716F7467B53
SHA256:687EEF6B90D8755BD99FC75080E819827D5E6DE7E2D4F48DEFC22775312D0750
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\e5c236509e5ad76452ee0c377336a48bcompressed
MD5:E5C236509E5AD76452EE0C377336A48B
SHA256:09AD0D92B4B82259B1792C5FB6BE6CFF008724BB443E30117EA6138217DED1FA
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\13276385dbd87f097030409aa6cd40d7compressed
MD5:FC0D05CF9A15C9D5496B5779FC679116
SHA256:FDAE0F9DE7D08DA833A142828D4661009286CA02B76818BECF1C62EC8413B4A5
6404roblox.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBXADDE9890449F47F0B0D1C80FCDE02C7Bbinary
MD5:17F19AAF4302DF8AE48234CD3EDCF855
SHA256:9CD035CC12F10824A03DA778403829E352E71732C7176AA8FC84D9DEE84DD153
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\32622161783a33a229827a2a0261cc16compressed
MD5:32622161783A33A229827A2A0261CC16
SHA256:631125E9AB228CCC5CA7CC723EABC683BAFA245F2E63B9FB23A55073DF017C12
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\909f4b9d7bc03a926d35e84d0c99ffbfcompressed
MD5:FF8ED71E27291DAB5A4B3AFD7E00FE04
SHA256:B22D568BD008B8132AC4A072ABC596BFAC12E2992C2A3D9987BDDB6BAA51CB08
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\a2166dcd5c94421a2db907beb1aed130executable
MD5:A2166DCD5C94421A2DB907BEB1AED130
SHA256:3D3FACBE7F53B347E6EBBC9FC7E185B2DFCD529E1DB06F08AFADCECD30A01ACB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
57
DNS requests
37
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
6804
svchost.exe
HEAD
200
2.16.168.112:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1737036978&P2=404&P3=2&P4=ZoRNYpgff0siXLx9C4kZNYitXOrKF3Q3tIrlqKyFFuXZq7MPBx53V1FWPYrexhOodeoORU3GlO8%2bSy7GTRgy7g%3d%3d
RU
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6804
svchost.exe
GET
200
2.16.168.112:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1737036978&P2=404&P3=2&P4=ZoRNYpgff0siXLx9C4kZNYitXOrKF3Q3tIrlqKyFFuXZq7MPBx53V1FWPYrexhOodeoORU3GlO8%2bSy7GTRgy7g%3d%3d
RU
executable
168 Mb
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
6280
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
6632
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
6632
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1684
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
  • 2.23.227.221
  • 2.23.227.198
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.40
  • 2.16.164.32
  • 2.16.164.24
  • 2.16.164.18
  • 2.16.164.34
  • 2.16.164.67
  • 2.16.164.73
  • 2.16.164.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.2
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.73
whitelisted
client-telemetry.roblox.com
  • 128.116.44.3
whitelisted
ecsv2.roblox.com
  • 128.116.44.4
whitelisted
clientsettingscdn.roblox.com
  • 52.222.236.113
  • 52.222.236.86
  • 52.222.236.43
  • 52.222.236.6
whitelisted

Threats

PID
Process
Class
Message
6804
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
roblox.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxPlayerBeta.exe
2025-01-09T14:17:46.150Z,1.150155,1494,6,Warning [FLog::RobloxStarter] Roblox stage ReadyForFlagFetch completed
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-01-09T14:17:46.152Z,1.152170,1494,6 [FLog::Output] Loading AppSettings.xml from C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\AppSettings.xml
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-01-09T14:17:46.154Z,1.154184,1494,6,Info [FLog::UpdateController] WindowsUpdateController: updaterFullPath: C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerInstaller.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-01-09T14:17:46.154Z,1.154184,1494,6,Info [FLog::UpdateController] UpdateController: versionQueryUrl: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer
RobloxPlayerBeta.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
roblox.exe