File name:

RobloxPlayerInstaller.exe

Full analysis: https://app.any.run/tasks/bc63f941-bcf3-4e77-88ce-75dc0743a498
Verdict: Malicious activity
Analysis date: February 14, 2025, 09:59:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
roblox
arch-doc
arch-scr
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D1F5BA6D15F73E7F533EC0C37CDD0EE8

SHA1:

68C709E8BDB73A5006D8EB4FC524016BB80E99B2

SHA256:

C6A0E5F7CB081BA6881857B685F9CEE33D9F8B2585CAEC5BE31492C381F3C541

SSDEEP:

98304:wQs02ayAjsZO7VJvHWbJHxjqYtX1FiId1Uz5NLeGcp1OhNOD1Wdn6EKr3ETXB0YV:LPEPyPElSH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6172)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)

    • Changes default file association

      • RobloxPlayerInstaller.exe (PID: 6712)

    • The process drops C-runtime libraries

      • RobloxPlayerInstaller.exe (PID: 6712)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • setup.exe (PID: 8532)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6172)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6172)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Application launched itself

      • setup.exe (PID: 8532)
      • MicrosoftEdgeUpdate.exe (PID: 5892)

    • Searches for installed software

      • setup.exe (PID: 8532)

    • Creates a software uninstall entry

      • setup.exe (PID: 8532)
      • RobloxPlayerInstaller.exe (PID: 6712)

    • Executes application which crashes

      • RobloxPlayerBeta.exe (PID: 8904)

    • Detected use of alternative data streams (AltDS)

      • RobloxPlayerBeta.exe (PID: 8904)

  • INFO

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)

    • Process checks whether UAC notifications are on

      • RobloxPlayerInstaller.exe (PID: 6712)

    • Checks supported languages

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • setup.exe (PID: 8532)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8556)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)

    • Creates files or folders in the user directory

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • setup.exe (PID: 8556)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)
      • RobloxCrashHandler.exe (PID: 9144)
      • WerFault.exe (PID: 488)

    • Reads the computer name

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1304)
      • MicrosoftEdgeUpdate.exe (PID: 3744)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3920)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 1044)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • setup.exe (PID: 8532)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)

    • ROBLOX mutex has been found

      • RobloxPlayerInstaller.exe (PID: 6712)
      • RobloxPlayerBeta.exe (PID: 8904)

    • The sample compiled with english language support

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • MicrosoftEdge_X64_133.0.3065.59.exe (PID: 8512)
      • setup.exe (PID: 8532)

    • Manual execution by a user

      • firefox.exe (PID: 3608)

    • Application launched itself

      • firefox.exe (PID: 3608)
      • firefox.exe (PID: 6496)

    • Create files in a temporary directory

      • RobloxPlayerInstaller.exe (PID: 6712)
      • MicrosoftEdgeWebview2Setup.exe (PID: 3632)
      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6172)
      • setup.exe (PID: 8532)
      • RobloxPlayerBeta.exe (PID: 8904)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 8832)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • WerFault.exe (PID: 488)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 432)
      • MicrosoftEdgeUpdate.exe (PID: 5892)
      • MicrosoftEdgeUpdate.exe (PID: 8832)
      • RobloxPlayerBeta.exe (PID: 8904)
      • WerFault.exe (PID: 488)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2054:08:14 20:48:51+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 4767744
InitializedDataSize: 2888704
UninitializedDataSize: -
EntryPoint: 0x42b1e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.2.36879
ProductVersionNumber: 1.6.2.36879
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 2, 6590479
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 2, 6590479
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
41
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start robloxplayerinstaller.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe firefox.exe no specs microsoftedge_x64_133.0.3065.59.exe setup.exe setup.exe no specs microsoftedgeupdate.exe robloxplayerbeta.exe robloxcrashhandler.exe werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -parentBuildID 20240213221259 -sandboxingKind 3 -prefsHandle 8064 -prefMapHandle 8060 -prefsLen 38114 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1149ba74-34ce-49ed-89dd-364e6e2b0754} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd45d58110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
432"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MTFDQjFDRDctRDk0My00QTQzLUE1Q0QtRjI1MjcyNEZGQTcxfSIgdXNlcmlkPSJ7NEQyNzM0OTQtNjVBNi00MzkzLUI2RjUtQkUwMzdBRUVGODg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBREFCQjU5Mi0yMzJCLTRCNEMtOEQ3NS1ENzM5MTQ2NTUwNjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMDg5MjMzODIiIGluc3RhbGxfdGltZV9tcz0iMTEyMSIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
488C:\WINDOWS\system32\WerFault.exe -u -p 8904 -s 2824C:\Windows\System32\WerFault.exe
RobloxPlayerBeta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1044"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1044"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{11CB1CD7-D943-4A43-A5CD-F252724FFA71}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
1304"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2084"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 2 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed550782-d28e-4973-b9d5-7e41eca40ff2} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd4418d690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 6 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0962270-3ca8-49ce-bf54-07a2cb7fe32c} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd484284d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2612"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7612 -childID 16 -isForBrowser -prefsHandle 7872 -prefMapHandle 7868 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1532 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9d2549-989d-47c5-bbd4-98cd51dda3d9} 6496 "\\.\pipe\gecko-crash-server-pipe.6496" 1dd493baf50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
51 274
Read events
47 998
Write events
3 209
Delete events
67

Modification events

(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6712) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-6b610f1860d74e5d
(PID) Process:(6496) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:path
Value:
C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:writeName:UninstallCmdLine
Value:
"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:name
Value:
Microsoft Edge Update
(PID) Process:(6172) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:writeName:pv
Value:
1.3.171.39
Executable files
211
Suspicious files
262
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\aaae84f3721bb879e4ff5b3491a8db35compressed
MD5:AAAE84F3721BB879E4FF5B3491A8DB35
SHA256:1A08933AFE32D7F13714F363AB360F27C03DA18CCD005B2BBCFB5F92F04E51D3
6496firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnkbinary
MD5:458A3A6DC92972DBF312F1BDC29258B0
SHA256:EBE4CBBEB7CEEB23ADF6675AE079EACA8908889B396FF0A7D270D35B2FD3137D
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:6CED45AE0FCB6620235271F2C6F41411
SHA256:AD64CF840A0FCE7924AC5F8A4F6900BFE73709A5A61031404A213AB563C286D8
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\32622161783a33a229827a2a0261cc16compressed
MD5:32622161783A33A229827A2A0261CC16
SHA256:631125E9AB228CCC5CA7CC723EABC683BAFA245F2E63B9FB23A55073DF017C12
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\6afd47a719d26cac99abd568c21f2066compressed
MD5:6AFD47A719D26CAC99ABD568C21F2066
SHA256:F8C9F80C413BBC3A95624BCC39FA7B00100CCA26DF312C58542308A8A331D5DD
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\b124ca6c93b842fb5b7f17b51d928f11compressed
MD5:B124CA6C93B842FB5B7F17B51D928F11
SHA256:4072718AC9823211D35ED10E26B57E15632F739710C783E31F4468F819D0FD78
6712RobloxPlayerInstaller.exeC:\Users\admin\Desktop\Roblox Studio.lnkbinary
MD5:FC586AE318EB87C745583AF8EC048BC8
SHA256:88840E174EBF5D1660ED9D823AED326971FFB68C3CED0AE110FEE4D2BC519F7D
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\e54e2faa6a097c3304d78bda8d446921compressed
MD5:E54E2FAA6A097C3304D78BDA8D446921
SHA256:C36020B21AA4AB6DB0B36A94834398385AE975E671572A00E830C1CA8DEB98DE
6712RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exeexecutable
MD5:799AC31FF5F4839D05BD8E1E3DAC4DB4
SHA256:DA62B0238115F65630CE85D767C78C2DADE5E1D4A13AD9153AB8DA418EDCD8DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
105
TCP/UDP connections
338
DNS requests
523
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/s/wr3/jLM
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.57:80
http://r11.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
2.23.82.9:80
http://r10.o.lencr.org/
unknown
whitelisted
6496
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/we2
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.19.122.65:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.51
  • 2.16.164.9
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.81
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.23.246.101
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 2.19.122.65
  • 2.19.122.4
  • 2.19.122.67
  • 2.19.122.7
  • 2.19.122.66
  • 2.19.122.11
  • 2.19.122.6
  • 2.19.122.10
  • 2.19.122.8
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.3
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
ecsv2.roblox.com
  • 128.116.123.4
whitelisted
client-telemetry.roblox.com
  • 128.116.44.4
  • 128.116.44.3
whitelisted

Threats

PID
Process
Class
Message
1944
svchost.exe
Misc activity
ET INFO Packed Executable Download
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
Process
Message
RobloxPlayerInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.540Z,0.540811,22cc,6,Warning [FLog::RobloxStarter] Starting module: Network
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.542Z,0.542797,22cc,6,Warning [FLog::RobloxStarterNetworkStarterModule] userAgent: Roblox/WinInetRobloxApp/0.660.0.6600646 (GlobalDist; RobloxDirectDownload)
RobloxPlayerBeta.exe
2025-02-14T10:02:10.542Z,0.542797,22cc,6,Warning [FLog::RobloxStarter] Roblox stage ReadyForFlagFetch completed
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
RobloxPlayerBeta.exe
2025-02-14T10:02:10.546Z,0.546769,22cc,6,Info [FLog::UpdateController] WindowsUpdateController: updaterFullPath: C:\Users\admin\AppData\Local\Roblox\Versions\version-2d6639b3364b47cd\RobloxPlayerInstaller.exe
RobloxPlayerBeta.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller.exe