File name:

RobloxPlayerInstaller.exe

Full analysis: https://app.any.run/tasks/e2e97fa5-cbfa-474e-ae5e-d7c779d61848
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 09, 2024, 15:35:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3191D6165056C1D4283C23BC0B6A0785

SHA1:

D072084D2CAC90FACDF6EE9363C71A79FF001016

SHA256:

CBD127ECA5601EF7B8F7BEC72E73CF7AE1386696C68AF83A252C947559513791

SSDEEP:

98304:/Rs0qPAD9OO5A1MkthR8dFEHvPYVNT5dqOCX72aPP6UAVefEIVDq2KnJQ3xmODsi:khRbDkE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • RobloxPlayerInstaller.exe (PID: 6468)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6924)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Drops the executable file immediately after the start

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Changes default file association

      • RobloxPlayerInstaller.exe (PID: 6468)

    • Process drops legitimate windows executable

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4020)
      • MicrosoftEdgeUpdate.exe (PID: 5588)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6208)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7388)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 4604)

  • INFO

    • Checks supported languages

      • RobloxPlayerInstaller.exe (PID: 6468)
      • TextInputHost.exe (PID: 6128)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 5588)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4020)
      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 5908)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6208)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7724)
      • MicrosoftEdgeUpdate.exe (PID: 7696)

    • Process checks whether UAC notifications are on

      • RobloxPlayerInstaller.exe (PID: 6468)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Creates files or folders in the user directory

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Reads the computer name

      • RobloxPlayerInstaller.exe (PID: 6468)
      • TextInputHost.exe (PID: 6128)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • MicrosoftEdgeUpdate.exe (PID: 5588)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4020)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7388)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6208)
      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 5908)
      • MicrosoftEdgeUpdate.exe (PID: 7696)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Reads the machine GUID from the registry

      • RobloxPlayerInstaller.exe (PID: 6468)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • RobloxStudioInstaller.exe (PID: 7724)

    • Application launched itself

      • firefox.exe (PID: 6200)
      • firefox.exe (PID: 1116)

    • Create files in a temporary directory

      • RobloxPlayerInstaller.exe (PID: 6468)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 6924)
      • RobloxStudioInstaller.exe (PID: 7496)
      • svchost.exe (PID: 4604)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 1116)

    • Manual execution by a user

      • firefox.exe (PID: 6200)
      • RobloxStudioInstaller.exe (PID: 7496)
      • RobloxPlayerInstaller.exe (PID: 6172)
      • Taskmgr.exe (PID: 4424)
      • Taskmgr.exe (PID: 4576)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1132)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 7696)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6924)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1132)
      • MicrosoftEdgeUpdate.exe (PID: 7696)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 4576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:01:07 06:01:01+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 3504128
InitializedDataSize: 9812992
UninitializedDataSize: -
EntryPoint: 0x3019e0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.0.13737
ProductVersionNumber: 1.6.0.13737
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Roblox Corporation
FileDescription: Roblox
FileVersion: 1, 6, 0, 6370729
LegalCopyright: Copyright © 2020 Roblox Corporation. All rights reserved.
OriginalFileName: Roblox.exe
ProductName: Roblox Bootstrapper
ProductVersion: 1, 6, 0, 6370729
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
37
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start robloxplayerinstaller.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe robloxplayerinstaller.exe robloxstudioinstaller.exe robloxstudioinstaller.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
936"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5456 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45bfcc8-c6eb-4f8b-9422-7e380f2783c9} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 20181bedbd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1116"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1132"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7RTJBMEI2MjItNzc2OC00RjkyLUFDMEYtNzQyNzFFOUYwMDlDfSIgdXNlcmlkPSJ7MkYxRDUyOEUtMzM4NS00NUQyLThGRDUtRjBCRUI3RjNEQUQ3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxQjIzNUM1Qy05RENBLTQwMzAtQTg3My0yODJBREJBQTU5QUR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA2MTY4MjE4NTUiIGluc3RhbGxfdGltZV9tcz0iNjk1Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3076"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1820 -prefsLen 30537 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e758fc9-6672-42b5-8398-577f037d3758} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 20177dea010 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4020"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.171.39\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4060"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -childID 2 -isForBrowser -prefsHandle 2452 -prefMapHandle 4648 -prefsLen 36263 -prefMapSize 244343 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {848fcfc8-0068-47ad-8387-1d01053a47a2} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 2017ee7c850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4424"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
4576"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
4604C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5052"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5464 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34d0a03b-4ba5-4d59-b935-3d252e5f4335} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" 20181beda10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
43 227
Read events
40 641
Write events
2 550
Delete events
36

Modification events

(PID) Process:(6468) RobloxPlayerInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(6468) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio
Operation:writeName:URL Protocol
Value:
(PID) Process:(6468) RobloxPlayerInstaller.exeKey:HKEY_CLASSES_ROOT\roblox-studio\shell\open\command
Operation:writeName:version
Value:
version-ea4f8221cbd94062
(PID) Process:(4604) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Operation:writeName:PerfMMFileName
Value:
Global\MMF_BITS26ddc93d-098c-4db0-bd4f-0abf9a4e07d3
(PID) Process:(6200) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
B660CCD300000000
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
A170CDD300000000
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
0
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
1
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:delete valueName:installer.taskbarpin.win10.enabled
Value:
(PID) Process:(1116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
Executable files
209
Suspicious files
203
Text files
48
Unknown types
12

Dropped files

PID
Process
Filename
Type
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\889e0052812b9ed64dd5653d29180ee7compressed
MD5:889E0052812B9ED64DD5653D29180EE7
SHA256:501BFA6CCEAB8DBE2510BCDE501E29C23D0786E8FB93AB9B4B8AABDD88973F16
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\logs\cacert.pemtext
MD5:C656D325F5DF1991584F0BB00A27902F
SHA256:98ECAF8DA767CCB2870DD30A5E7334D2F45702A3A33EC8B4286E6AE88B720EB8
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\32b1e1dc9c28a412cd13936305620af8compressed
MD5:32B1E1DC9C28A412CD13936305620AF8
SHA256:04AB3782BDF95AE8640BABDFD7524A33A744F5B3D10C7523F6C7A704E79AB3F3
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Temp\Roblox\http\RBXEEF4F04FED2940C1973EA1780FBB966Bbinary
MD5:5C450619F83DB7400AF41C1076D5FCE6
SHA256:5A605B987E7FCC079F311F8F998FF273D90671148B225471F2A540AC6F6F6BDF
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\cd77e0e77d698260809f8ae8b3993740compressed
MD5:CD77E0E77D698260809F8AE8B3993740
SHA256:C21C2EF75EDEF71EA53DD1FED5470CFA3D513D22F8CDFDF2431E43FE8FF4C95A
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\b4b75c21ce05378163042dc45cec5834compressed
MD5:B4B75C21CE05378163042DC45CEC5834
SHA256:4D6FE68C8B4941CE335CE5597EBBC1F27AB02646E9AF98AF8A76875AD0FD191F
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\a94b6d53eea3ae5600fc749c1a0bd8cccompressed
MD5:A94B6D53EEA3AE5600FC749C1A0BD8CC
SHA256:94541B0A6B6A403C8D7243EB3078264473F3244EB467815DC574ADAA0CE849C5
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\30c885074d0320c0932e06bfd537c915compressed
MD5:30C885074D0320C0932E06BFD537C915
SHA256:4C732976972BBEC8B2B0C579067F6AB4A143263637E6F9A6E2AA1FE7F9A68E7B
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Local\Roblox\Downloads\roblox-player\9db266898c508ffdbb4cba815a6e7250compressed
MD5:9DB266898C508FFDBB4CBA815A6E7250
SHA256:73EA3615D948B8B2631EA530002DF068A748C50AEA99A40A782C229A274164E6
6468RobloxPlayerInstaller.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnklnk
MD5:F0138EA85CF29107568A842400B1723E
SHA256:07FCD5A37C5E6EBEF9E997D17CF50E145B38E91A891836F330E6EF4F01BB3446
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
83
TCP/UDP connections
258
DNS requests
346
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1568
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1568
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6900
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6940
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
1116
firefox.exe
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
unknown
1116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1116
firefox.exe
POST
200
184.24.77.48:80
http://r11.o.lencr.org/
unknown
unknown
1116
firefox.exe
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4780
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1748
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6468
RobloxPlayerInstaller.exe
128.116.21.3:443
ecsv2.roblox.com
ROBLOX-PRODUCTION
US
unknown
6468
RobloxPlayerInstaller.exe
104.122.32.163:443
clientsettingscdn.roblox.com
AKAMAI-AS
DE
unknown
6468
RobloxPlayerInstaller.exe
205.234.175.102:443
setup.rbxcdn.com
CACHENETWORKS
US
unknown
4
System
192.168.100.255:137
whitelisted
4780
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
ecsv2.roblox.com
  • 128.116.21.3
whitelisted
clientsettingscdn.roblox.com
  • 104.122.32.163
  • 2.16.43.25
whitelisted
setup.rbxcdn.com
  • 205.234.175.102
whitelisted
www.bing.com
  • 23.207.210.196
  • 23.207.210.200
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.161
  • 104.126.37.146
  • 104.126.37.160
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.145
  • 104.126.37.154
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.76
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.136
whitelisted
th.bing.com
  • 23.207.210.200
  • 23.207.210.196
  • 104.126.37.171
  • 104.126.37.128
  • 104.126.37.177
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.123
whitelisted

Threats

PID
Process
Class
Message
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
1116
firefox.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
4604
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4604
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
RobloxPlayerInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobloxStudioInstaller.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RobloxPlayerInstaller.exe