Malware analysis Roblox.exe Malicious activity | ANY.RUN

Add for printing

File name:	Roblox.exe
Full analysis:	https://app.any.run/tasks/dd2d9269-58d6-427c-9897-19c69d8d9b90
Verdict:	Malicious activity
Analysis date:	April 12, 2025, 13:20:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	772DD5C983D078B226E378CAA673B656
SHA1:	C22A73188909CD09DD4B0ABD02F55259EDAF76BC
SHA256:	BC8F4EA8F5FF857B15799F5147F640E594D8711884B9C6A61FAE689D7F74FFC8
SSDEEP:	24576:TgAHvqz/pY+lfo+Ro1SaXgZgqagqCeQWxH9XZeYKDh6ri8id31PovTsvjaYk5ewK:NQBhohwZgqWQ+9XZKDh6ri8id31AvTOh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7084)
  - Roblox.exe (PID: 7496)
  - Roblox.exe (PID: 7756)
SUSPICIOUS
- Application launched itself
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7496)
- Reads security settings of Internet Explorer
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 7084)
  - Roblox.exe (PID: 7496)
  - ShellExperienceHost.exe (PID: 4172)
  - Roblox.exe (PID: 7756)
- Process drops legitimate windows executable
  - Roblox.exe (PID: 7496)
- Executable content was dropped or overwritten
  - Roblox.exe (PID: 7496)
- The process drops C-runtime libraries
  - Roblox.exe (PID: 7496)
INFO
- Checks proxy server information
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 7084)
  - slui.exe (PID: 1164)
  - Roblox.exe (PID: 7756)
  - Roblox.exe (PID: 7496)
- Create files in a temporary directory
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7084)
  - Roblox.exe (PID: 7756)
  - Roblox.exe (PID: 7496)
- Checks supported languages
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7084)
  - Roblox.exe (PID: 7756)
  - Roblox.exe (PID: 7496)
  - ShellExperienceHost.exe (PID: 4172)
- The sample compiled with english language support
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 7496)
- Reads the machine GUID from the registry
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 7084)
  - Roblox.exe (PID: 7496)
  - Roblox.exe (PID: 7756)
- Reads the computer name
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 7188)
  - Roblox.exe (PID: 7084)
  - Roblox.exe (PID: 7756)
  - Roblox.exe (PID: 7496)
  - ShellExperienceHost.exe (PID: 4172)
- Creates files or folders in the user directory
  - Roblox.exe (PID: 2284)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7496)
- Reads the software policy settings
  - Roblox.exe (PID: 2284)
  - slui.exe (PID: 7332)
  - slui.exe (PID: 1164)
  - Roblox.exe (PID: 1452)
  - Roblox.exe (PID: 7496)
  - Roblox.exe (PID: 7756)
- Manual execution by a user
  - cmd.exe (PID: 6824)
  - notepad.exe (PID: 5156)
  - Roblox.exe (PID: 7496)
  - notepad.exe (PID: 1128)
  - notepad.exe (PID: 2552)
  - notepad.exe (PID: 1388)
  - notepad.exe (PID: 5228)
  - cmd.exe (PID: 872)
  - notepad.exe (PID: 2644)
- Creates files in the program directory
  - Roblox.exe (PID: 7496)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:01:22 00:02:34+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	1006592
InitializedDataSize:	444416
UninitializedDataSize:	-
EntryPoint:	0xae2d5
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.6.0.23788
ProductVersionNumber:	1.6.0.23788
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Roblox Corporation
FileDescription:	Roblox
FileVersion:	1, 6, 0, 417004
LegalCopyright:	Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName:	Roblox.exe
ProductName:	Roblox Bootstrapper
ProductVersion:	1, 6, 0, 417004

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

872

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll

1128

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\RBX-4D6C8C43.log

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1164

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1388

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\RBX-4D6C8C43.log

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1452

Roblox.exe -debug

C:\Users\admin\AppData\Local\Temp\Roblox.exe

cmd.exe

User:

admin

Company:

Roblox Corporation

Integrity Level:

MEDIUM

Description:

Roblox

Exit code:

4294967295

Version:

1, 6, 0, 417004

Modules

Images
c:\users\admin\appdata\local\temp\roblox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2284

"C:\Users\admin\AppData\Local\Temp\Roblox.exe"

C:\Users\admin\AppData\Local\Temp\Roblox.exe

explorer.exe

User:

admin

Company:

Roblox Corporation

Integrity Level:

MEDIUM

Description:

Roblox

Exit code:

4294967295

Version:

1, 6, 0, 417004

Modules

Images
c:\users\admin\appdata\local\temp\roblox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2552

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\RBX-9AC7AFDB.log

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

2644

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\RBX-9AC7AFDB.log

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

4172

"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Shell Experience Host

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll

4244

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

6 124

Read events

6 083

Write events

Delete events

Modification events


(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Roblox
Operation:	write	Name:	CPath
Value: C:\Users\admin\AppData\LocalLow\rbxcsettings.rbx
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Environments
Operation:	delete value	Name:	curStudioVer
Value:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ROBLOX Corporation\Environments
Operation:	delete value	Name:	curStudioUrl
Value:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\RobloxReg\ETags
Operation:	write	Name:	RCC-redistXGTFDE2U040VW06D.zip
Value:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\RobloxReg\ETags
Operation:	write	Name:	RCC-LibrariesXGTFDE2U040VW06D.zip
Value:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\RobloxReg\ETags
Operation:	write	Name:	RCC-shadersXGTFDE2U040VW06D.zip
Value:
(PID) Process:	(2284) Roblox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\RobloxReg\ETags
Operation:	write	Name:	RCC-contentXGTFDE2U040VW06D.zip
Value:

Add for printing

Executable files

Suspicious files

372

Text files

2 126

Unknown types

Dropped files

PID	Process	Filename		Type
2284	Roblox.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517		binary
		MD5:F463F46BBA47F318E8FFE11360D8A777	SHA256:AE3F00AAA04F5FC7DB67128C8EFA47064DC0DAC605E34B76793B41C9CFBDE4AF
2284	Roblox.exe	C:\Users\admin\AppData\Local\Temp\crashpad_roblox\settings.dat		binary
		MD5:397648E9A1515281080DF33BB9374DA7	SHA256:D5F8611967E6E9B28B1A0E7CA9F9A339F0566B1B02A351AF0873EA466908F87B
2284	Roblox.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517		binary
		MD5:881F80BF0ACED47E66A72E1C05B06EA0	SHA256:F2A2CD4269CAB303E246D6D37F0D45D9895BEADF2F05640C1AEE8E8416481FB1
2284	Roblox.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		binary
		MD5:6EC34697B5E535625F4287F4AB99F0BC	SHA256:E8E0345E65F69786EA3D8A11A1AF4A8F02AF567A0B6953CFAE578636764C1081
2284	Roblox.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\application[1].json		binary
		MD5:D5B60635B3C3010F84CCFA0E22B81C29	SHA256:89AB4CD6F35C64231E94D567EB2664315644AA7E670D452ED95F46E512607BCB
2284	Roblox.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		binary
		MD5:30BA57DA02913F189236C15C51663E85	SHA256:986265D92021B9E634BF9CC46802486BBEFC0A2DB96036633EEF256DE487D822
2284	Roblox.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B		binary
		MD5:9F0CCB453257DA53C862F8B6E34FB3A5	SHA256:E8136BB51FC1BC420B4918123A8FF88AE8889A6165169A3972ACFCD0A65915EC
2284	Roblox.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B		binary
		MD5:2CC242BC25E0F7AE5C265E75A028F4C2	SHA256:ECA692AAC7C9CA10CA73019AC21F7447A6D584E31F1BCA3CC4194A8DFD1AC631
7188	Roblox.exe	C:\Users\admin\AppData\Local\Temp\RBX-7834DDFC.log		text
		MD5:9D9BC0563800953D63FCA239473F6658	SHA256:4C0E33127D61E9F8BFDE7634516BEDB5D443DCF11F6E91BFDB10CBA99DC6494C
2284	Roblox.exe	C:\Users\admin\AppData\Local\Temp\RBX-B050A795.log		text
		MD5:8AEAEB9113204A151E0DE4E2ED65FE2C	SHA256:7FDCC9F3CA83FD26EDD76B4DED775E96088F6690DE3CB11916813F2C27B30DE0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7960	SIHClient.exe	GET	200	104.85.1.163:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	NL	binary	419 b	whitelisted
—	—	GET	200	2.18.121.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	FR	binary	825 b	whitelisted
2284	Roblox.exe	GET	200	18.245.38.41:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D	US	binary	1.40 Kb	whitelisted
2284	Roblox.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D	US	binary	2.18 Kb	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
2284	Roblox.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	binary	1.42 Kb	whitelisted
7960	SIHClient.exe	GET	200	104.85.1.163:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	NL	binary	407 b	whitelisted
7496	Roblox.exe	GET	200	18.161.96.75:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	US	binary	1.40 Kb	whitelisted
7496	Roblox.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEGxUlMUNeuJZOXh%2FQAMe0fk%3D	US	binary	471 b	whitelisted
7496	Roblox.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEA4jaMy2rxGsbBqVpNHwqqg%3D	US	binary	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.18.121.139:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2284	Roblox.exe	52.222.236.6:443	clientsettingscdn.roblox.com	AMAZON-02	US	whitelisted
2284	Roblox.exe	18.245.38.41:80	ocsp.rootca1.amazontrust.com	—	US	whitelisted
2284	Roblox.exe	128.116.44.3:443	versioncompatibility.api.roblox.com	ROBLOX-PRODUCTION	US	whitelisted
2284	Roblox.exe	104.18.38.233:80	ocsp.comodoca.com	CLOUDFLARENET	—	whitelisted
2284	Roblox.exe	172.64.149.23:80	ocsp.comodoca.com	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	2.18.121.139 2.18.121.147	whitelisted
clientsettingscdn.roblox.com	52.222.236.6 52.222.236.86 52.222.236.43 52.222.236.113 13.227.8.64 13.227.8.77 13.227.8.66 13.227.8.19	whitelisted
ocsp.rootca1.amazontrust.com	18.245.38.41 18.161.96.75	whitelisted
setup.rbxcdn.qq.com	0.0.0.1	whitelisted
clientsettingscdn.roblox.qq.com	0.0.0.1	whitelisted
setup.rbxcdn.com	2.18.121.132 2.18.121.137 2.16.241.16 2.16.241.19 3.160.188.64 3.160.188.113 3.160.188.114 3.160.188.89	whitelisted
setup-ak.rbxcdn.com	2.18.121.132 2.18.121.137 2.16.241.16 2.16.241.19 2.16.164.72 2.16.164.129	whitelisted
setup-ll.rbxcdn.com	—	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Roblox.exe

772DD5C983D078B226E378CAA673B656

C22A73188909CD09DD4B0ABD02F55259EDAF76BC

BC8F4EA8F5FF857B15799F5147F640E594D8711884B9C6A61FAE689D7F74FFC8

24576:TgAHvqz/pY+lfo+Ro1SaXgZgqagqCeQWxH9XZeYKDh6ri8id31PovTsvjaYk5ewK:NQBhohwZgqWQ+9XZKDh6ri8id31AvTOh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Application launched itself

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

INFO

Checks proxy server information

Create files in a temporary directory

Checks supported languages

The sample compiled with english language support

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

Reads the software policy settings

Manual execution by a user

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings