File name:

RobloxPlayerInstaller.exe

Full analysis: https://app.any.run/tasks/bc63f941-bcf3-4e77-88ce-75dc0743a498
Verdict: Malicious activity
Analysis date: February 14, 2025, 09:59:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
roblox
arch-doc
arch-scr
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D1F5BA6D15F73E7F533EC0C37CDD0EE8

SHA1:

68C709E8BDB73A5006D8EB4FC524016BB80E99B2

SHA256:

C6A0E5F7CB081BA6881857B685F9CEE33D9F8B2585CAEC5BE31492C381F3C541

SSDEEP:

98304:wQs02ayAjsZO7VJvHWbJHxjqYtX1FiId1Uz5NLeGcp1OhNOD1Wdn6EKr3ETXB0YV:LPEPyPElSH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6172)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)

    • Executable content was dropped or overwritten

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Changes default file association

      • RobloxPlayerInstaller.exe (PID: 6712)

    • The process drops C-runtime libraries

      • RobloxPlayerInstaller.exe (PID: 6712)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6172)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6172)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Application launched itself

      • setup.exe (PID: 8532)
      • MicrosoftEdgeUpdate.exe (PID: 5892)

    • Creates a software uninstall entry

      • setup.exe (PID: 8532)
      • RobloxPlayerInstaller.exe (PID: 6712)

    • Searches for installed software

      • setup.exe (PID: 8532)

    • Detected use of alternative data streams (AltDS)

      • RobloxPlayerBeta.exe (PID: 8904)

    • Executes application which crashes

      • RobloxPlayerBeta.exe (PID: 8904)

  • INFO

    • The sample compiled with english language support

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)

    • ROBLOX mutex has been found

      • RobloxPlayerInstaller.exe (PID: 6712)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Checks supported languages

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • setup.exe (PID: 8556)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)

    • Reads the computer name

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 1044)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Process checks whether UAC notifications are on

      • RobloxPlayerInstaller.exe (PID: 6712)

    • Creates files or folders in the user directory

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8556)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)
      • WerFault.exe (PID: 488)

    • Create files in a temporary directory

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Manual execution by a user

      • firefox.exe (PID: 3608)

    • Application launched itself

      • firefox.exe (PID: 3608)
      • firefox.exe (PID: 6496)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 8832)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • WerFault.exe (PID: 488)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)
      • WerFault.exe (PID: 488)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2054:08:14 20:48:51+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4767744
InitializedDataSize: 2888704
UninitializedDataSize: -
EntryPoint: 0x42b1e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.2.36879
ProductVersionNumber: 1.6.2.36879
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 2, 6590479
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 2, 6590479
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
41
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start robloxplayerinstaller.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe firefox.exe no specs microsoftedge_x64_133.0.3065.59.exe setup.exe setup.exe no specs microsoftedgeupdate.exe robloxplayerbeta.exe robloxcrashhandler.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -parentBuildID 20240213221259 -sandboxingKind 3 -prefsHandle 8064 -prefMapHandle 8060 -prefsLen 38114 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1149ba74-34ce-49ed-89dd-364e6e2b0754} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd45d58110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
432"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MTFDQjFDRDctRDk0My00QTQzLUE1Q0QtRjI1MjcyNEZGQTcxfSIgdXNlcmlkPSJ7NEQyNzM0OTQtNjVBNi00MzkzLUI2RjUtQkUwMzdBRUVGODg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBREFCQjU5Mi0yMzJCLTRCNEMtOEQ3NS1ENzM5MTQ2NTUwNjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMDg5MjMzODIiIGluc3RhbGxfdGltZV9tcz0iMTEyMSIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
488C:\WINDOWS\system32\WerFault.exe -u -p 8904 -s 2824C:\Windows\System32\WerFault.exe
RobloxPlayerBeta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1044"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1044"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{11CB1CD7-D943-4A43-A5CD-F252724FFA71}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1304"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2084"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 2 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed550782-d28e-4973-b9d5-7e41eca40ff2} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd4418d690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 6 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0962270-3ca8-49ce-bf54-07a2cb7fe32c} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd484284d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2612"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7612 -childID 16 -isForBrowser -prefsHandle 7872 -prefMapHandle 7868 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9d2549-989d-47c5-bbd4-98cd51dda3d9} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd493baf50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
51 274
Read events
47 998
Write events
3 209
Delete events
67

Modification events

(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-6b610f1860d74e5d
(PID) Process:(6496) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:path
Value:
C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:UninstallCmdLine
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:name
Value:
Microsoft Edge Update
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
Executable files
211
Suspicious files
262
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:6CED45AE0FCB6620235271F2C6F41411
SHA256:AD64CF840A0FCE7924AC5F8A4F6900BFE73709A5A61031404A213AB563C286D8
6496firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exeexecutable
MD5:799AC31FF5F4839D05BD8E1E3DAC4DB4
SHA256:DA62B0238115F65630CE85D767C78C2DADE5E1D4A13AD9153AB8DA418EDCD8DE
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\8913724486d5e3c463c493b25346ca31binary
MD5:D57A4849C167E02FB247A67035BEE744
SHA256:83B14EE9E7F5030BA9A0E859F6B9A71C10EA2A066A2BCC96034046938B772718
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\671fb1a7b360b7f4281af5e52acc2c84compressed
MD5:671FB1A7B360B7F4281AF5E52ACC2C84
SHA256:B1A1E1E797E1C39277153B76DF1DAD2A8FE3EDD1419540C4FFFD3574A4485436
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\15bd216e6fae9ca480c21db01ce4ae3bcompressed
MD5:15BD216E6FAE9CA480C21DB01CE4AE3B
SHA256:DD788F4010754D48447E50C1522B5A1E8CCF4EA457C7D80FBA4F6F6B7F24633F
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\b4b75c21ce05378163042dc45cec5834compressed
MD5:B4B75C21CE05378163042DC45CEC5834
SHA256:4D6FE68C8B4941CE335CE5597EBBC1F27AB02646E9AF98AF8A76875AD0FD191F
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBX94522CCC7A26405997615DC2E2E3F237binary
MD5:D57A4849C167E02FB247A67035BEE744
SHA256:83B14EE9E7F5030BA9A0E859F6B9A71C10EA2A066A2BCC96034046938B772718
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\b124ca6c93b842fb5b7f17b51d928f11compressed
MD5:B124CA6C93B842FB5B7F17B51D928F11
SHA256:4072718AC9823211D35ED10E26B57E15632F739710C783E31F4468F819D0FD78
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnkbinary
MD5:458A3A6DC92972DBF312F1BDC29258B0
SHA256:EBE4CBBEB7CEEB23ADF6675AE079EACA8908889B396FF0A7D270D35B2FD3137D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
105
TCP/UDP connections
338
DNS requests
523
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.57:80
http://r11.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.9:80
http://r10.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.9:80
http://r10.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.9:80
http://r10.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.57:80
http://r11.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.9:80
http://r10.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/we2
unknown
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/we2
unknown
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/s/wr3/3cs
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.19.122.65:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.51
  • 2.16.164.9
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.81
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.23.246.101
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 2.19.122.65
  • 2.19.122.4
  • 2.19.122.67
  • 2.19.122.7
  • 2.19.122.66
  • 2.19.122.11
  • 2.19.122.6
  • 2.19.122.10
  • 2.19.122.8
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.3
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
ecsv2.roblox.com
  • 128.116.123.4
whitelisted
client-telemetry.roblox.com
  • 128.116.44.4
  • 128.116.44.3
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Packed Executable Download
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Process
Message
RobloxPlayerInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.540Z,0.540811,22cc,6,Warning [FLog::RobloxStarter] Starting module: Network
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.542Z,0.542797,22cc,6,Warning [FLog::RobloxStarterNetworkStarterModule] userAgent: Roblox/WinInetRobloxApp/0.660.0.6600646 (GlobalDist; RobloxDirectDownload)
RobloxPlayerBeta.exe
2025-02-14T10:02:10.542Z,0.542797,22cc,6,Warning [FLog::RobloxStarter] Roblox stage ReadyForFlagFetch completed
RobloxPlayerBeta.exe
2025-02-14T10:02:10.543Z,0.543790,22cc,6,Info [FLog::UpdateController] UpdateController: versionQueryUrl: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer
RobloxPlayerBeta.exe
2025-02-14T10:02:10.546Z,0.546769,235c,6,Info [FLog::UpdateController] Update check thread started
RobloxPlayerBeta.exe
2025-02-14T10:02:10.546Z,0.546769,22cc,6,Info [FLog::UpdateController] WindowsUpdateController: updaterFullPath: C:\Users\admin\AppData\Local\Roblox\Versions\version-2d6639b3364b47cd\RobloxPlayerInstaller.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller.exe