File name:

RobloxPlayerInstaller.exe

Full analysis: https://app.any.run/tasks/bc63f941-bcf3-4e77-88ce-75dc0743a498
Verdict: Malicious activity
Analysis date: February 14, 2025, 09:59:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
roblox
arch-doc
arch-scr
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D1F5BA6D15F73E7F533EC0C37CDD0EE8

SHA1:

68C709E8BDB73A5006D8EB4FC524016BB80E99B2

SHA256:

C6A0E5F7CB081BA6881857B685F9CEE33D9F8B2585CAEC5BE31492C381F3C541

SSDEEP:

98304:wQs02ayAjsZO7VJvHWbJHxjqYtX1FiId1Uz5NLeGcp1OhNOD1Wdn6EKr3ETXB0YV:LPEPyPElSH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6172)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)

    • Changes default file association

      • RobloxPlayerInstaller.exe (PID: 6712)

    • The process drops C-runtime libraries

      • RobloxPlayerInstaller.exe (PID: 6712)

    • Executable content was dropped or overwritten

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6172)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6172)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Application launched itself

      • setup.exe (PID: 8532)
      • MicrosoftEdgeUpdate.exe (PID: 5892)

    • Searches for installed software

      • setup.exe (PID: 8532)

    • Creates a software uninstall entry

      • setup.exe (PID: 8532)
      • RobloxPlayerInstaller.exe (PID: 6712)

    • Executes application which crashes

      • RobloxPlayerBeta.exe (PID: 8904)

    • Detected use of alternative data streams (AltDS)

      • RobloxPlayerBeta.exe (PID: 8904)

  • INFO

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxCrashHandler.exe (PID: 9144)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Checks supported languages

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 1044)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • setup.exe (PID: 8556)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)

    • The sample compiled with english language support

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)

    • Process checks whether UAC notifications are on

      • RobloxPlayerInstaller.exe (PID: 6712)

    • Manual execution by a user

      • firefox.exe (PID: 3608)

    • Reads the computer name

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Application launched itself

      • firefox.exe (PID: 3608)
      • firefox.exe (PID: 6496)

    • ROBLOX mutex has been found

      • RobloxPlayerInstaller.exe (PID: 6712)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Create files in a temporary directory

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Creates files or folders in the user directory

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • setup.exe (PID: 8556)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)
      • WerFault.exe (PID: 488)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • WerFault.exe (PID: 488)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 8832)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)
      • WerFault.exe (PID: 488)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2054:08:14 20:48:51+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4767744
InitializedDataSize: 2888704
UninitializedDataSize: -
EntryPoint: 0x42b1e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.2.36879
ProductVersionNumber: 1.6.2.36879
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 2, 6590479
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 2, 6590479
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
41
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start robloxplayerinstaller.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe firefox.exe no specs microsoftedge_x64_133.0.3065.59.exe setup.exe setup.exe no specs microsoftedgeupdate.exe robloxplayerbeta.exe robloxcrashhandler.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -parentBuildID 20240213221259 -sandboxingKind 3 -prefsHandle 8064 -prefMapHandle 8060 -prefsLen 38114 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1149ba74-34ce-49ed-89dd-364e6e2b0754} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd45d58110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
432"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MTFDQjFDRDctRDk0My00QTQzLUE1Q0QtRjI1MjcyNEZGQTcxfSIgdXNlcmlkPSJ7NEQyNzM0OTQtNjVBNi00MzkzLUI2RjUtQkUwMzdBRUVGODg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBREFCQjU5Mi0yMzJCLTRCNEMtOEQ3NS1ENzM5MTQ2NTUwNjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMDg5MjMzODIiIGluc3RhbGxfdGltZV9tcz0iMTEyMSIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
488C:\WINDOWS\system32\WerFault.exe -u -p 8904 -s 2824C:\Windows\System32\WerFault.exe
RobloxPlayerBeta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1044"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1044"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{11CB1CD7-D943-4A43-A5CD-F252724FFA71}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1304"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2084"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 2 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed550782-d28e-4973-b9d5-7e41eca40ff2} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd4418d690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 6 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0962270-3ca8-49ce-bf54-07a2cb7fe32c} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd484284d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2612"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7612 -childID 16 -isForBrowser -prefsHandle 7872 -prefMapHandle 7868 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9d2549-989d-47c5-bbd4-98cd51dda3d9} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd493baf50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
51 274
Read events
47 998
Write events
3 209
Delete events
67

Modification events

(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-6b610f1860d74e5d
(PID) Process:(6496) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:path
Value:
C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:UninstallCmdLine
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:name
Value:
Microsoft Edge Update
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
Executable files
211
Suspicious files
262
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\aaae84f3721bb879e4ff5b3491a8db35compressed
MD5:577F05CD683ED0577F6C970EA57129E0
SHA256:7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
6496firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\15bd216e6fae9ca480c21db01ce4ae3bcompressed
MD5:0FDE982F2A8B7C16DF5335BC0B68523B
SHA256:7F9DE5169EC785E73D80A5D03866DBADDEEBDDFB2745D6F38761887EBC147B77
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBX94522CCC7A26405997615DC2E2E3F237binary
MD5:D57A4849C167E02FB247A67035BEE744
SHA256:83B14EE9E7F5030BA9A0E859F6B9A71C10EA2A066A2BCC96034046938B772718
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:6CED45AE0FCB6620235271F2C6F41411
SHA256:AD64CF840A0FCE7924AC5F8A4F6900BFE73709A5A61031404A213AB563C286D8
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnkbinary
MD5:458A3A6DC92972DBF312F1BDC29258B0
SHA256:EBE4CBBEB7CEEB23ADF6675AE079EACA8908889B396FF0A7D270D35B2FD3137D
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\671fb1a7b360b7f4281af5e52acc2c84compressed
MD5:5DC6C719F530956B72B23879BE0602ED
SHA256:BEA74E9A7E517C25B0407544147C4C9E65F59664AD60A4FCB30827DA9D7BE671
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exeexecutable
MD5:799AC31FF5F4839D05BD8E1E3DAC4DB4
SHA256:DA62B0238115F65630CE85D767C78C2DADE5E1D4A13AD9153AB8DA418EDCD8DE
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\4f23103d6f2f80089fb6cbaf29008349compressed
MD5:6CED45AE0FCB6620235271F2C6F41411
SHA256:AD64CF840A0FCE7924AC5F8A4F6900BFE73709A5A61031404A213AB563C286D8
6496firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
105
TCP/UDP connections
338
DNS requests
523
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
US
text
8 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
US
text
90 b
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
313 b
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
CL
binary
973 b
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/we2
US
binary
281 b
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/we2
US
binary
281 b
whitelisted
6496
firefox.exe
POST
200
2.23.82.57:80
http://r11.o.lencr.org/
DE
binary
504 b
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/s/wr3/jLM
US
binary
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.19.122.65:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.51
  • 2.16.164.9
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.81
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.23.246.101
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 2.19.122.65
  • 2.19.122.4
  • 2.19.122.67
  • 2.19.122.7
  • 2.19.122.66
  • 2.19.122.11
  • 2.19.122.6
  • 2.19.122.10
  • 2.19.122.8
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.3
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
ecsv2.roblox.com
  • 128.116.123.4
whitelisted
client-telemetry.roblox.com
  • 128.116.44.4
  • 128.116.44.3
whitelisted

Threats

PID
Process
Class
Message
1944
svchost.exe
Misc activity
ET INFO Packed Executable Download
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Process
Message
RobloxPlayerInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.540Z,0.540811,22cc,6,Warning [FLog::RobloxStarter] Starting module: Network
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.542Z,0.542797,22cc,6,Warning [FLog::RobloxStarterNetworkStarterModule] userAgent: Roblox/WinInetRobloxApp/0.660.0.6600646 (GlobalDist; RobloxDirectDownload)
RobloxPlayerBeta.exe
2025-02-14T10:02:10.542Z,0.542797,22cc,6,Warning [FLog::RobloxStarter] Roblox stage ReadyForFlagFetch completed
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.546Z,0.546769,22cc,6,Info [FLog::UpdateController] WindowsUpdateController: updaterFullPath: C:\Users\admin\AppData\Local\Roblox\Versions\version-2d6639b3364b47cd\RobloxPlayerInstaller.exe
RobloxPlayerBeta.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller.exe