File name:

roblox.exe

Full analysis: https://app.any.run/tasks/39b7700e-04bd-4ac4-b376-ac21613af6c0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 09, 2025, 14:15:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
arch-scr
arch-exec
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

93CC28BFF51A677298618FA83BC6D3C0

SHA1:

1EBE43E0025F7B2D0CE29FB2CDA02329E8B435CB

SHA256:

ABE0149F9D65062AB9CF54B3B1AA68B563F136CC0BBA153C7C20DDC5AFADBD5C

SSDEEP:

98304:4Ks0EfVu0Gs1/tlr21A+zm10QJ5aSeokFFQVwVPq7tvBI0emK8BL7NZ0LD9ClJMX:ZcWs4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Changes default file association

      • roblox.exe (PID: 6404)

    • The process drops C-runtime libraries

      • roblox.exe (PID: 6404)

    • Executable content was dropped or overwritten

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 5592)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1596)
      • setup.exe (PID: 5912)
      • RobloxPlayerBeta.exe (PID: 5400)

    • Process drops legitimate windows executable

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 5592)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1596)
      • setup.exe (PID: 5912)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 5592)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5592)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 4264)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6804)

    • Application launched itself

      • setup.exe (PID: 5912)
      • MicrosoftEdgeUpdate.exe (PID: 6636)

  • INFO

    • The sample compiled with english language support

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 5592)
      • svchost.exe (PID: 6804)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 1596)
      • setup.exe (PID: 5912)

    • Create files in a temporary directory

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)

    • Creates files or folders in the user directory

      • roblox.exe (PID: 6404)

    • Checks supported languages

      • roblox.exe (PID: 6404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5032)
      • MicrosoftEdgeUpdate.exe (PID: 4264)

    • Sends debugging messages

      • roblox.exe (PID: 6404)
      • RobloxPlayerBeta.exe (PID: 5400)

    • Reads the machine GUID from the registry

      • roblox.exe (PID: 6404)

    • Reads the computer name

      • MicrosoftEdgeUpdate.exe (PID: 4264)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2055:03:08 02:55:24+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 3254272
InitializedDataSize: 1503744
UninitializedDataSize: -
EntryPoint: 0x2ca960
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.1.61075
ProductVersionNumber: 1.6.1.61075
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 1, 6090387
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 1, 6090387
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
19
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start roblox.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe microsoftedge_x64_131.0.2903.112.exe setup.exe setup.exe no specs microsoftedgeupdate.exe robloxplayerbeta.exe robloxcrashhandler.exe no specs gamebarpresencewriter.exe no specs gamebar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Q0E1RkRGMDYtNjUyNC00RUIzLTk0QUQtMTY0MDMyMDIwMkYwfSIgdXNlcmlkPSJ7NjZFQjQyRDItNDBGMS00NzA2LTk4NzYtMjcxNDExQjVGOEQ0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1RjJGNzc4NS1GODhBLTQ3NzMtQTg3Ny0zNDlDQjU2Njg3N0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMxNzQ4OTU5MjYiIGluc3RhbGxfdGltZV9tcz0iNTQzIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1020"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServerC:\Windows\System32\GameBarPresenceWriter.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Gamebar Presence Writer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\gamebarpresencewriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1596"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{BA322059-12F8-4371-BEB6-EEE7EC6F1D03}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{BA322059-12F8-4371-BEB6-EEE7EC6F1D03}\MicrosoftEdge_X64_131.0.2903.112.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.112
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{ba322059-12f8-4371-beb6-eee7ec6f1d03}\microsoftedge_x64_131.0.2903.112.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2280C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\\RobloxCrashHandler.exe --no-rate-limit --crashCounter Win-ROBLOXPlayer-Crash --baseUrl http://www.roblox.com/ --attachment=attachment_0.655.0.6551095_20250109T141745Z_Player_9A9A1_last.log=C:\Users\admin\AppData\Local\Roblox\logs\0.655.0.6551095_20250109T141745Z_Player_9A9A1_last.log --database=C:\Users\admin\AppData\Local\Roblox\logs\crashes --metrics-dir=C:\Users\admin\AppData\Local\Roblox\logs\crashes --url=https://upload.crashes.rbxinfra.com/post?format=minidump --annotation=AppVersion=0.655.0.6551095 --annotation=BaseUrl=http://www.roblox.com/ "--annotation=CPUMake=Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz" --annotation=Format=minidump --annotation=OSPlatform=Win32 "--annotation=OSVersion=Windows 10 - PlatformId 2, Version 10.0, Build 19045" --annotation=PlatformId=2 --annotation=RobloxChannel=production --annotation=RobloxGitHash=1e939d01ed66ec75a2357d431e693416a498f1e0 --annotation=RobloxProduct=RobloxPlayer --annotation=TotalMemory=4289146880 --annotation=UniqueId=8748771356128138104 --annotation=UploadAttachmentKiloByteLimit=1000 --annotation=UseCrashpad=True --initial-client-data=0x8b8,0x8bc,0x890,0x690,0x6d8,0x7ff7368c3d88,0x7ff7368c3da0,0x7ff7368c3db8C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\RobloxCrashHandler.exeRobloxPlayerBeta.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\roblox\versions\version-37cf60402a5648b4\robloxcrashhandler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\user32.dll
3080"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{CA5FDF06-6524-4EB3-94AD-1640320202F0}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3816"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4264"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4640"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4984"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7Q0E1RkRGMDYtNjUyNC00RUIzLTk0QUQtMTY0MDMyMDIwMkYwfSIgdXNlcmlkPSJ7NjZFQjQyRDItNDBGMS00NzA2LTk4NzYtMjcxNDExQjVGOEQ0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyOTY2NkZGNC04NUQ3LTQzM0UtQTBGQy1EOTdDQkVGN0NBQzN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjExMiIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzE4OTU5MDYxOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMTg5NjcxMTY0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM2MDQ3Mzg5MjMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzdkOWNkOTNjLTFkNWUtNDQ5Yi05YWQ3LWYxZThkNmI5MDUwOT9QMT0xNzM3MDM2OTc4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVpvUk5ZcGdmZjBzaVhMeDlDNGtaTllpdFhPcktGM1EzdElybHFLeUZGdVhacTdNUEJ4NTNWMUZXUFlyZXhoT29kZW9PUlUzR2xPOCUyYlN5N0dUUmd5N2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzY4NzA5NzYiIHRvdGFsPSIxNzY4NzA5NzYiIGRvd25sb2FkX3RpbWVfbXM9IjM2ODE1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM2MDQ5MTU1ODgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzYyOTk3NTczNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQwMTg4ODEzOTEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI5NTQiIGRvd25sb2FkX3RpbWVfbXM9IjQxNTE4IiBkb3dubG9hZGVkPSIxNzY4NzA5NzYiIHRvdGFsPSIxNzY4NzA5NzYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjM4ODg1Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
5032MicrosoftEdgeWebview2Setup.exe /silent /installC:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
roblox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\roblox\versions\version-37cf60402a5648b4\webview2runtimeinstaller\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
26 525
Read events
23 967
Write events
2 491
Delete events
67

Modification events

(PID) Process:(6404) roblox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6404) roblox.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6404) roblox.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-d7ec89f14d9e47ce
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:path
Value:
C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:UninstallCmdLine
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:name
Value:
Microsoft Edge Update
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(5592) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft Edge Update
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateCore.exe"
Executable files
208
Suspicious files
43
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exeexecutable
MD5:673F7C90ED7046C1403B3EF6D77A706C
SHA256:BBDF25DEE8C741B498E59F8588E2A64C73B012D632B033A5E7C74290F12D3A34
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\671fb1a7b360b7f4281af5e52acc2c84compressed
MD5:671FB1A7B360B7F4281AF5E52ACC2C84
SHA256:B1A1E1E797E1C39277153B76DF1DAD2A8FE3EDD1419540C4FFFD3574A4485436
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\15bd216e6fae9ca480c21db01ce4ae3bcompressed
MD5:15BD216E6FAE9CA480C21DB01CE4AE3B
SHA256:DD788F4010754D48447E50C1522B5A1E8CCF4EA457C7D80FBA4F6F6B7F24633F
6404roblox.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBXC404E79782244D28B4BCE497C18AD1C7binary
MD5:508F31D10EAF8799CAA00C35A8A9B907
SHA256:6CFB4F7F41C8B6550603D1154FB8A0293AE1F12FE17D5471201CAEAE084EA04F
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\8c4bde50e4b58a0c914b6b040d976113compressed
MD5:8C4BDE50E4B58A0C914B6B040D976113
SHA256:D7FFCF0F4579B2788080197D1E7767E73A928B2BB07B518B413110BBDCBD5497
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\b1f3d2e27e62377a9a8395001b7034d7compressed
MD5:B1F3D2E27E62377A9A8395001B7034D7
SHA256:96B60D3E1C54F789920CA9D39FA02D53F84B713E9B2360FCF4A5A8910CEEFDDD
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\32622161783a33a229827a2a0261cc16compressed
MD5:32622161783A33A229827A2A0261CC16
SHA256:631125E9AB228CCC5CA7CC723EABC683BAFA245F2E63B9FB23A55073DF017C12
6404roblox.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\8913724486d5e3c463c493b25346ca31binary
MD5:508F31D10EAF8799CAA00C35A8A9B907
SHA256:6CFB4F7F41C8B6550603D1154FB8A0293AE1F12FE17D5471201CAEAE084EA04F
6404roblox.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\e5c236509e5ad76452ee0c377336a48bcompressed
MD5:E5C236509E5AD76452EE0C377336A48B
SHA256:09AD0D92B4B82259B1792C5FB6BE6CFF008724BB443E30117EA6138217DED1FA
6404roblox.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBXC0503C273CC6454A8589DBF273471C45binary
MD5:508F31D10EAF8799CAA00C35A8A9B907
SHA256:6CFB4F7F41C8B6550603D1154FB8A0293AE1F12FE17D5471201CAEAE084EA04F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
57
DNS requests
37
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6804
svchost.exe
HEAD
200
2.16.168.112:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1737036978&P2=404&P3=2&P4=ZoRNYpgff0siXLx9C4kZNYitXOrKF3Q3tIrlqKyFFuXZq7MPBx53V1FWPYrexhOodeoORU3GlO8%2bSy7GTRgy7g%3d%3d
unknown
whitelisted
6632
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6280
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6632
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6804
svchost.exe
GET
200
2.16.168.112:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1737036978&P2=404&P3=2&P4=ZoRNYpgff0siXLx9C4kZNYitXOrKF3Q3tIrlqKyFFuXZq7MPBx53V1FWPYrexhOodeoORU3GlO8%2bSy7GTRgy7g%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1684
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
  • 2.23.227.221
  • 2.23.227.198
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.40
  • 2.16.164.32
  • 2.16.164.24
  • 2.16.164.18
  • 2.16.164.34
  • 2.16.164.67
  • 2.16.164.73
  • 2.16.164.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.2
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.73
whitelisted
client-telemetry.roblox.com
  • 128.116.44.3
whitelisted
ecsv2.roblox.com
  • 128.116.44.4
whitelisted
clientsettingscdn.roblox.com
  • 52.222.236.113
  • 52.222.236.86
  • 52.222.236.43
  • 52.222.236.6
whitelisted

Threats

PID
Process
Class
Message
6804
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
roblox.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxPlayerBeta.exe
2025-01-09T14:17:46.150Z,1.150155,1494,6,Warning [FLog::RobloxStarter] Roblox stage ReadyForFlagFetch completed
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-01-09T14:17:46.152Z,1.152170,1494,6 [FLog::Output] Loading AppSettings.xml from C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\AppSettings.xml
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-01-09T14:17:46.154Z,1.154184,1494,6,Info [FLog::UpdateController] WindowsUpdateController: updaterFullPath: C:\Users\admin\AppData\Local\Roblox\Versions\version-37cf60402a5648b4\RobloxPlayerInstaller.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-01-09T14:17:46.154Z,1.154184,1494,6,Info [FLog::UpdateController] UpdateController: versionQueryUrl: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer
RobloxPlayerBeta.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
roblox.exe