File name:

RobloxPlayerInstaller.exe

Full analysis: https://app.any.run/tasks/a32e2f03-9e4a-4f10-bc9e-6dfd027118fa
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 31, 2024, 20:49:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
stealer
qrcode
crypto-regex
github
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

94740510822524D579F869A81E02F5EA

SHA1:

0E87D714E9EEC2EEE7C3AF028E8E66E7478A107F

SHA256:

AD927962330C2D2CF2BF7C33C1A5395DF5CCD4CEABFB10C72DB240041D773DDA

SSDEEP:

98304:bgs0N1XDZEjTJt9y872uxBqWMJuHTNC2P+Ahlex3otgKkfz3wzMdmNezBJQAUEuo:cMjGRGgWQ3Ck

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RobloxPlayerInstaller.exe (PID: 6464)
      • msiexec.exe (PID: 252)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5988)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • MicrosoftEdge_X64_126.0.2592.113.exe (PID: 6340)
      • Bootstrapper.exe (PID: 8172)

    • Actions looks like stealing of personal data

      • RobloxPlayerInstaller.exe (PID: 6464)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 4040)

  • SUSPICIOUS

    • Changes default file association

      • RobloxPlayerInstaller.exe (PID: 6464)

    • Executable content was dropped or overwritten

      • RobloxPlayerInstaller.exe (PID: 6464)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5988)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • Bootstrapper.exe (PID: 8172)
      • MicrosoftEdge_X64_126.0.2592.113.exe (PID: 6340)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 252)
      • MicrosoftEdgeUpdate.exe (PID: 6368)

    • Reads the date of Windows installation

      • Bootstrapper.exe (PID: 6416)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 3360)

    • Process drops legitimate windows executable

      • RobloxPlayerInstaller.exe (PID: 6464)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5988)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • svchost.exe (PID: 4936)
      • Bootstrapper.exe (PID: 8172)
      • MicrosoftEdge_X64_126.0.2592.113.exe (PID: 6340)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 252)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5956)
      • Bootstrapper.exe (PID: 6416)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • msiexec.exe (PID: 7936)
      • msiexec.exe (PID: 7496)
      • Bootstrapper.exe (PID: 8172)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • Bootstrapper.exe (PID: 3360)
      • Solara.exe (PID: 7248)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 4040)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 4040)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 1360)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3256)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2424)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 4936)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • msiexec.exe (PID: 7496)
      • wevtutil.exe (PID: 1608)

    • The process drops C-runtime libraries

      • Bootstrapper.exe (PID: 8172)

    • Application launched itself

      • setup.exe (PID: 6964)

  • INFO

    • Creates files or folders in the user directory

      • RobloxPlayerInstaller.exe (PID: 6464)
      • msiexec.exe (PID: 252)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • MicrosoftEdge_X64_126.0.2592.113.exe (PID: 6340)
      • setup.exe (PID: 6508)
      • setup.exe (PID: 6964)

    • Process checks whether UAC notifications are on

      • RobloxPlayerInstaller.exe (PID: 6464)

    • Checks supported languages

      • RobloxPlayerInstaller.exe (PID: 6464)
      • msiexec.exe (PID: 252)
      • Bootstrapper.exe (PID: 6416)
      • msiexec.exe (PID: 872)
      • msiexec.exe (PID: 5956)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5988)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3256)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2424)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3356)
      • MicrosoftEdgeUpdate.exe (PID: 1360)
      • MicrosoftEdgeUpdate.exe (PID: 300)
      • MicrosoftEdgeUpdate.exe (PID: 2768)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • Bootstrapper.exe (PID: 6868)
      • TextInputHost.exe (PID: 1356)
      • Bootstrapper.exe (PID: 8172)
      • msiexec.exe (PID: 7496)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 7684)
      • setup.exe (PID: 6508)
      • MicrosoftEdge_X64_126.0.2592.113.exe (PID: 6340)
      • setup.exe (PID: 6964)
      • Bootstrapper.exe (PID: 3360)
      • node.exe (PID: 2080)
      • Solara.exe (PID: 7248)
      • msiexec.exe (PID: 7936)

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller.exe (PID: 6464)
      • msiexec.exe (PID: 252)
      • Bootstrapper.exe (PID: 6416)
      • Bootstrapper.exe (PID: 6868)
      • Bootstrapper.exe (PID: 8172)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • Bootstrapper.exe (PID: 3360)
      • Solara.exe (PID: 7248)

    • Reads the computer name

      • RobloxPlayerInstaller.exe (PID: 6464)
      • msiexec.exe (PID: 252)
      • Bootstrapper.exe (PID: 6416)
      • msiexec.exe (PID: 5956)
      • msiexec.exe (PID: 872)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2424)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3256)
      • MicrosoftEdgeUpdate.exe (PID: 1360)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3356)
      • MicrosoftEdgeUpdate.exe (PID: 300)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • MicrosoftEdgeUpdate.exe (PID: 2768)
      • Bootstrapper.exe (PID: 6868)
      • TextInputHost.exe (PID: 1356)
      • Bootstrapper.exe (PID: 8172)
      • msiexec.exe (PID: 7496)
      • msiexec.exe (PID: 7936)
      • msiexec.exe (PID: 8112)
      • msiexec.exe (PID: 7684)
      • MicrosoftEdge_X64_126.0.2592.113.exe (PID: 6340)
      • setup.exe (PID: 6964)
      • Solara.exe (PID: 7248)
      • Bootstrapper.exe (PID: 3360)

    • Create files in a temporary directory

      • RobloxPlayerInstaller.exe (PID: 6464)
      • Bootstrapper.exe (PID: 6416)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5988)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • svchost.exe (PID: 4936)
      • Bootstrapper.exe (PID: 6868)
      • Bootstrapper.exe (PID: 8172)

    • Manual execution by a user

      • Bootstrapper.exe (PID: 964)
      • Bootstrapper.exe (PID: 6416)
      • Bootstrapper.exe (PID: 6868)
      • firefox.exe (PID: 6872)
      • Bootstrapper.exe (PID: 8124)
      • Bootstrapper.exe (PID: 7144)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 812)
      • Bootstrapper.exe (PID: 3360)

    • Disables trace logs

      • Bootstrapper.exe (PID: 6416)
      • Bootstrapper.exe (PID: 6868)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 3360)
      • Solara.exe (PID: 7248)

    • Checks proxy server information

      • Bootstrapper.exe (PID: 6416)
      • MicrosoftEdgeUpdate.exe (PID: 300)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • Bootstrapper.exe (PID: 6868)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 3360)
      • Solara.exe (PID: 7248)

    • Reads the software policy settings

      • Bootstrapper.exe (PID: 6416)
      • msiexec.exe (PID: 252)
      • MicrosoftEdgeUpdate.exe (PID: 300)
      • MicrosoftEdgeUpdate.exe (PID: 6368)
      • Bootstrapper.exe (PID: 6868)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 3360)
      • Solara.exe (PID: 7248)

    • Reads Environment values

      • Bootstrapper.exe (PID: 6416)
      • MicrosoftEdgeUpdate.exe (PID: 300)
      • Bootstrapper.exe (PID: 6868)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 3360)
      • Solara.exe (PID: 7248)

    • Process checks computer location settings

      • Bootstrapper.exe (PID: 6416)
      • MicrosoftEdgeUpdate.exe (PID: 4040)
      • Bootstrapper.exe (PID: 8172)
      • Bootstrapper.exe (PID: 3360)

    • Application launched itself

      • msiexec.exe (PID: 252)
      • firefox.exe (PID: 6872)
      • firefox.exe (PID: 6836)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 252)

    • Drops the executable file immediately after the start

      • svchost.exe (PID: 4936)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 6836)

    • Creates files in the program directory

      • Bootstrapper.exe (PID: 8172)

    • Dropped object may contain TOR URL's

      • Bootstrapper.exe (PID: 8172)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1976:05:08 17:55:59+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 3435008
InitializedDataSize: 15253504
UninitializedDataSize: -
EntryPoint: 0x2f3100
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.1.19016
ProductVersionNumber: 1.6.1.19016
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 1, 6310472
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 1, 6310472
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
57
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start robloxplayerinstaller.exe rundll32.exe no specs bootstrapper.exe no specs bootstrapper.exe conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe bootstrapper.exe no specs bootstrapper.exe conhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs bootstrapper.exe no specs bootstrapper.exe conhost.exe no specs msiexec.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs microsoftedge_x64_126.0.2592.113.exe setup.exe no specs bootstrapper.exe no specs setup.exe no specs bootstrapper.exe conhost.exe no specs node.exe no specs conhost.exe no specs solara.exe

Process information

PID
CMD
Path
Indicators
Parent process
252C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
300"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7QThFMTE2MzAtRDQzMS00QUIwLThFNUItNzk2QTM1MDAwMTBBfSIgdXNlcmlkPSJ7OUQ1MDIxRTEtNkUxQi00MjQ5LTg1OUYtREQ4QjAwNDkzMEQ3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGMjM0MkNDQi1EM0NGLTRFNDMtOTYxQS03QjE3RkU2Mzg2NTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA1ODQxMDk1MzkiIGluc3RhbGxfdGltZV9tcz0iNzEyIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
812"C:\Users\admin\Downloads\Bootstrapper.exe" C:\Users\admin\Downloads\Bootstrapper.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SolaraBootstrapper
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\downloads\bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
872C:\Windows\System32\MsiExec.exe -Embedding A4BAAA423940E91368482BACCC106A8AC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
964"C:\Users\admin\Downloads\Bootstrapper.exe" C:\Users\admin\Downloads\Bootstrapper.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SolaraBootstrapper
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\downloads\bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1356"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1360"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1608"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"C:\Windows\SysWOW64\wevtutil.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
2044"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qnC:\Windows\SysWOW64\msiexec.exeBootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2080"node" -vC:\Program Files\nodejs\node.exeBootstrapper.exe
User:
admin
Company:
Node.js
Integrity Level:
HIGH
Description:
Node.js JavaScript Runtime
Exit code:
0
Version:
18.16.0
Modules
Images
c:\program files\nodejs\node.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ucrtbase.dll
Total events
66 623
Read events
58 452
Write events
8 103
Delete events
68

Modification events

(PID) Process:(6464) RobloxPlayerInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6464) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6464) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-258fa44b42074cfc
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6416) Bootstrapper.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
247
Suspicious files
1 073
Text files
1 659
Unknown types
26

Dropped files

PID
Process
Filename
Type
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnkbinary
MD5:D7D22561A11B75C2BC785887F315F54B
SHA256:B86CE3E2FF91385F3584CAE54DC3C1D3A8CF715D3D91690FC9CE74416D712B7A
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:0194EB945475F93844C0FAE769C0FA0B
SHA256:A6BC06B8255E4AFE2EEFF34684605D04DF9EC246FC201BF5E44137987189A0D3
6464RobloxPlayerInstaller.exeC:\Users\admin\Desktop\Roblox Studio.lnkbinary
MD5:51BF034901C355FCC11510579E3AADCB
SHA256:D04CA560554A6CA03EF6669C1F56A47B5BB807E6173C1E0A0D4A209FBED37204
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\899eef21b7c170ec49cb1f06402dd953compressed
MD5:899EEF21B7C170EC49CB1F06402DD953
SHA256:CBAC00C378E82248CFBA494987EDB2E5A129BC51FD4F28B1C94ABBB207E6A2EF
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\8913724486d5e3c463c493b25346ca31binary
MD5:2754606CD426F100DB35CFF6B4E14D76
SHA256:BFFC3F767CFE07193107EC69C24D42CC7F00D30C54A93A98DF11F107319A45A5
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\1d0390337d1a4a58e5514be1a9481ad6compressed
MD5:1D0390337D1A4A58E5514BE1A9481AD6
SHA256:C79F0EEB2BCA4905C585C50333DB3C6F727A554F5DB82E64948F93668FBC18AA
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\58e86f42c37021ac88a95f8693dac67acompressed
MD5:58E86F42C37021AC88A95F8693DAC67A
SHA256:522FECDDF6931B79F6A8AE159C1465404F8F1E6E61673F791D730DC20F3E8A3D
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\32b1e1dc9c28a412cd13936305620af8compressed
MD5:32B1E1DC9C28A412CD13936305620AF8
SHA256:04AB3782BDF95AE8640BABDFD7524A33A744F5B3D10C7523F6C7A704E79AB3F3
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBXCC8DE7BBD6964573A419DF8E5F7FFAF2binary
MD5:D14AF7F91D200353DABFEB3205425BE0
SHA256:681D8753E9CD9FC5946359A4E786CA94BCCA43280581EC3A2F037BA6D2281C06
6464RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\30c885074d0320c0932e06bfd537c915compressed
MD5:30C885074D0320C0932E06BFD537C915
SHA256:4C732976972BBEC8B2B0C579067F6AB4A143263637E6F9A6E2AA1FE7F9A68E7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
249
DNS requests
297
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6836
firefox.exe
POST
200
23.55.110.75:80
http://r10.o.lencr.org/
unknown
unknown
6836
firefox.exe
POST
200
23.55.110.75:80
http://r10.o.lencr.org/
unknown
unknown
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1344
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6852
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6896
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
252
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
whitelisted
252
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAOO2y%2FG5AVzGnYPFRYUTIU%3D
unknown
whitelisted
6836
firefox.exe
POST
200
23.55.110.75:80
http://r10.o.lencr.org/
unknown
unknown
6836
firefox.exe
POST
200
142.250.181.227:80
http://o.pki.goog/wr2
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5492
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4100
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6464
RobloxPlayerInstaller.exe
128.116.123.3:443
client-telemetry.roblox.com
ROBLOX-PRODUCTION
US
malicious
6464
RobloxPlayerInstaller.exe
128.116.123.4:443
ecsv2.roblox.com
ROBLOX-PRODUCTION
US
unknown
6464
RobloxPlayerInstaller.exe
99.86.4.20:443
clientsettingscdn.roblox.com
AMAZON-02
US
unknown
6464
RobloxPlayerInstaller.exe
2.16.241.7:443
setup.rbxcdn.com
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
client-telemetry.roblox.com
  • 128.116.123.3
whitelisted
ecsv2.roblox.com
  • 128.116.123.4
  • 128.116.123.3
whitelisted
clientsettingscdn.roblox.com
  • 99.86.4.20
  • 99.86.4.8
  • 99.86.4.125
  • 99.86.4.62
whitelisted
setup.rbxcdn.com
  • 2.16.241.7
  • 2.16.241.19
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.187
  • 184.86.251.19
  • 184.86.251.23
  • 184.86.251.17
  • 184.86.251.28
  • 184.86.251.9
  • 184.86.251.11
  • 184.86.251.21
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.20
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
4936
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Process
Message
RobloxPlayerInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller.exe