File name:

RobloxPlayerInstaller.exe

Full analysis: https://app.any.run/tasks/e2e97fa5-cbfa-474e-ae5e-d7c779d61848
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 09, 2024, 15:35:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3191D6165056C1D4283C23BC0B6A0785

SHA1:

D072084D2CAC90FACDF6EE9363C71A79FF001016

SHA256:

CBD127ECA5601EF7B8F7BEC72E73CF7AE1386696C68AF83A252C947559513791

SSDEEP:

98304:/Rs0qPAD9OO5A1MkthR8dFEHvPYVNT5dqOCX72aPP6UAVefEIVDq2KnJQ3xmODsi:khRbDkE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • RobloxPlayerInstaller.exe (PID: 6468)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6924)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Changes default file association

      • RobloxPlayerInstaller.exe (PID: 6468)

    • Executable content was dropped or overwritten

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Process drops legitimate windows executable

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 5588)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4020)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6208)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 4604)

  • INFO

    • Creates files or folders in the user directory

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Process checks whether UAC notifications are on

      • RobloxPlayerInstaller.exe (PID: 6468)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Checks supported languages

      • RobloxPlayerInstaller.exe (PID: 6468)
      • TextInputHost.exe (PID: 6128)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 5588)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4020)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 5908)
      • MicrosoftEdgeUpdate.exe (PID: 7696)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Reads the computer name

      • RobloxPlayerInstaller.exe (PID: 6468)
      • TextInputHost.exe (PID: 6128)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4020)
      • MicrosoftEdgeUpdate.exe (PID: 5588)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 7696)
      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 5908)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7388)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller.exe (PID: 6468)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Create files in a temporary directory

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)
      • svchost.exe (PID: 4604)

    • Application launched itself

      • firefox.exe (PID: 6200)
      • firefox.exe (PID: 1116)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 1116)

    • Manual execution by a user

      • firefox.exe (PID: 6200)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • Taskmgr.exe (PID: 4424)
      • Taskmgr.exe (PID: 4576)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 7696)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 7696)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 4576)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:01:07 06:01:01+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 3504128
InitializedDataSize: 9812992
UninitializedDataSize: -
EntryPoint: 0x3019e0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.0.13737
ProductVersionNumber: 1.6.0.13737
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 0, 6370729
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 0, 6370729
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
37
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start robloxplayerinstaller.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe robloxplayerinstaller.exe robloxstudioinstaller.exe robloxstudioinstaller.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
936"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5456 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45bfcc8-c6eb-4f8b-9422-7e380f2783c9} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 20181bedbd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1116"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1132"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7RTJBMEI2MjItNzc2OC00RjkyLUFDMEYtNzQyNzFFOUYwMDlDfSIgdXNlcmlkPSJ7MkYxRDUyOEUtMzM4NS00NUQyLThGRDUtRjBCRUI3RjNEQUQ3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxQjIzNUM1Qy05RENBLTQwMzAtQTg3My0yODJBREJBQTU5QUR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA2MTY4MjE4NTUiIGluc3RhbGxfdGltZV9tcz0iNjk1Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3076"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1820 -prefsLen 30537 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e758fc9-6672-42b5-8398-577f037d3758} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 20177dea010 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4020"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4060"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -childID 2 -isForBrowser -prefsHandle 2452 -prefMapHandle 4648 -prefsLen 36263 -prefMapSize 244343 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {848fcfc8-0068-47ad-8387-1d01053a47a2} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 2017ee7c850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4424"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
4576"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
4604C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5052"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5464 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34d0a03b-4ba5-4d59-b935-3d252e5f4335} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 20181beda10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
43 227
Read events
40 641
Write events
2 550
Delete events
36

Modification events

(PID) Process:(6468) RobloxPlayerInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6468) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6468) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-ea4f8221cbd94062
(PID) Process:(4604) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Operation:writeName:PerfMMFileName
Value:
Global\MMF_BITS26ddc93d-098c-4db0-bd4f-0abf9a4e07d3
(PID) Process:(6200) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
B660CCD300000000
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
A170CDD300000000
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
0
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
1
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:delete valueName:installer.taskbarpin.win10.enabled
Value:
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
Executable files
209
Suspicious files
203
Text files
48
Unknown types
12

Dropped files

PID
Process
Filename
Type
6468RobloxPlayerInstaller.exeC:\Users\admin\Desktop\Roblox Studio.lnklnk
MD5:D6F61B89B0ED588FAB6848C4E6CE9545
SHA256:3394311A0B8BC1E13957648E97852C60E60580E827DCF34DE4B2096504476CCE
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:C656D325F5DF1991584F0BB00A27902F
SHA256:98ECAF8DA767CCB2870DD30A5E7334D2F45702A3A33EC8B4286E6AE88B720EB8
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Versions\RobloxStudioInstaller.exeexecutable
MD5:9F1EDAF7FEC140C4FBF752BCEB8FAEE9
SHA256:810A386924E8AEB9AD6A432067A96B9AF05B2070B4A034B28C6D715D99740666
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\19affc812ec0cd2b1ff6c6b2bed67a44compressed
MD5:19AFFC812EC0CD2B1FF6C6B2BED67A44
SHA256:50DAF1CB5B5CB2501C786C85925BF096C1244EBCF5807EAA6474167CC7CB8A5F
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\a94b6d53eea3ae5600fc749c1a0bd8cccompressed
MD5:A94B6D53EEA3AE5600FC749C1A0BD8CC
SHA256:94541B0A6B6A403C8D7243EB3078264473F3244EB467815DC574ADAA0CE849C5
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnklnk
MD5:F0138EA85CF29107568A842400B1723E
SHA256:07FCD5A37C5E6EBEF9E997D17CF50E145B38E91A891836F330E6EF4F01BB3446
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\889e0052812b9ed64dd5653d29180ee7compressed
MD5:889E0052812B9ED64DD5653D29180EE7
SHA256:501BFA6CCEAB8DBE2510BCDE501E29C23D0786E8FB93AB9B4B8AABDD88973F16
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\1d0390337d1a4a58e5514be1a9481ad6compressed
MD5:1D0390337D1A4A58E5514BE1A9481AD6
SHA256:C79F0EEB2BCA4905C585C50333DB3C6F727A554F5DB82E64948F93668FBC18AA
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBX538FA726C630498C8C61436626F39DFEbinary
MD5:5C450619F83DB7400AF41C1076D5FCE6
SHA256:5A605B987E7FCC079F311F8F998FF273D90671148B225471F2A540AC6F6F6BDF
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\909f4b9d7bc03a926d35e84d0c99ffbfcompressed
MD5:909F4B9D7BC03A926D35E84D0C99FFBF
SHA256:C139AD55ACEBF739689CC1E29F84BA7731DC7FFC03F70BBBBD16929E3D439EC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
83
TCP/UDP connections
258
DNS requests
346
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1568
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1568
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6900
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6940
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
1116
firefox.exe
POST
200
184.24.77.48:80
http://r11.o.lencr.org/
unknown
unknown
1116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1116
firefox.exe
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
unknown
1116
firefox.exe
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4780
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1748
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6468
RobloxPlayerInstaller.exe
128.116.21.3:443
ecsv2.roblox.com
ROBLOX-PRODUCTION
US
unknown
6468
RobloxPlayerInstaller.exe
104.122.32.163:443
clientsettingscdn.roblox.com
AKAMAI-AS
DE
unknown
6468
RobloxPlayerInstaller.exe
205.234.175.102:443
setup.rbxcdn.com
CACHENETWORKS
US
unknown
4
System
192.168.100.255:137
whitelisted
4780
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
ecsv2.roblox.com
  • 128.116.21.3
whitelisted
clientsettingscdn.roblox.com
  • 104.122.32.163
  • 2.16.43.25
whitelisted
setup.rbxcdn.com
  • 205.234.175.102
whitelisted
www.bing.com
  • 23.207.210.196
  • 23.207.210.200
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.161
  • 104.126.37.146
  • 104.126.37.160
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.145
  • 104.126.37.154
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.76
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.136
whitelisted
th.bing.com
  • 23.207.210.200
  • 23.207.210.196
  • 104.126.37.171
  • 104.126.37.128
  • 104.126.37.177
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.123
whitelisted

Threats

PID
Process
Class
Message
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
4604
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4604
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
RobloxPlayerInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxStudioInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller.exe