Malware analysis RBLXHUBLauncher.exe Malicious activity

Add for printing

File name:	RBLXHUBLauncher.exe
Full analysis:	https://app.any.run/tasks/b5b40ca5-e80d-4d39-972a-0559910a4406
Verdict:	Malicious activity
Analysis date:	July 26, 2024, 20:13:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	autoit
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	B4463809F314A236C031C5005CF88D2F
SHA1:	75CACA1A36410CA730D1DB7A51EEFD2AAA20684A
SHA256:	EB58958B80E3E519339B125AC0B294911566E1636D0E167116E7971650CF9DD1
SSDEEP:	49152:0PPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtpjXi:+P/mp7t3T4+B/btosJwIA4hHmZlKH2Ts

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - RBLXHUBLauncher.exe (PID: 396)
- Modifies hosts file to block updates
  - cmd.exe (PID: 236)
SUSPICIOUS
- Reads the date of Windows installation
  - RBLXHUBLauncher.exe (PID: 396)
- Reads security settings of Internet Explorer
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 2124)
  - RBLXHUBLauncher.exe (PID: 1180)
- Powershell scripting: start process
  - RBLXHUBLauncher.exe (PID: 396)
- Starts POWERSHELL.EXE for commands execution
  - RBLXHUBLauncher.exe (PID: 396)
- Found IP address in command line
  - powershell.exe (PID: 2132)
- Starts CMD.EXE for commands execution
  - powershell.exe (PID: 2132)
- Potential Corporate Privacy Violation
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 2124)
INFO
- Reads mouse settings
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 2124)
  - RBLXHUBLauncher.exe (PID: 1180)
- Reads the computer name
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 2124)
  - RBLXHUBLauncher.exe (PID: 1180)
- Checks proxy server information
  - slui.exe (PID: 6480)
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 1180)
  - RBLXHUBLauncher.exe (PID: 2124)
  - slui.exe (PID: 6308)
- Reads the software policy settings
  - slui.exe (PID: 6480)
  - slui.exe (PID: 6308)
- Process checks computer location settings
  - RBLXHUBLauncher.exe (PID: 396)
- Checks supported languages
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 1180)
  - RBLXHUBLauncher.exe (PID: 2124)
- Create files in a temporary directory
  - RBLXHUBLauncher.exe (PID: 396)
  - RBLXHUBLauncher.exe (PID: 2124)
- Manual execution by a user
  - RBLXHUBLauncher.exe (PID: 2124)
  - RBLXHUBLauncher.exe (PID: 1180)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:23 11:42:28+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	633856
InitializedDataSize:	783872
UninitializedDataSize:	-
EntryPoint:	0x20577
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode
FileVersion:	0.0.0.0
Comments:	RBLXHub
FileDescription:	RBLXHub Launcher
ProductName:	RBLXHub Launcher
ProductVersion:	1
CompanyName:	RBLXHub
LegalCopyright:	Made by Alienwy and randomdude744

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

236

"C:\WINDOWS\SysWOW64\cmd.exe" /c echo. && echo 127.0.0.1 rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 www.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 api.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 assetgame.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 assetdelivery.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 clientsettingscdn.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && pause

C:\Windows\SysWOW64\cmd.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

396

"C:\Users\admin\Desktop\RBLXHUBLauncher.exe"

C:\Users\admin\Desktop\RBLXHUBLauncher.exe

explorer.exe

User:

admin

Company:

RBLXHub

Integrity Level:

MEDIUM

Description:

RBLXHub Launcher

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\rblxhublauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1180

"C:\Users\admin\Desktop\RBLXHUBLauncher.exe"

C:\Users\admin\Desktop\RBLXHUBLauncher.exe

—

explorer.exe

User:

admin

Company:

RBLXHub

Integrity Level:

MEDIUM

Description:

RBLXHub Launcher

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\rblxhublauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2124

"C:\Users\admin\Desktop\RBLXHUBLauncher.exe"

C:\Users\admin\Desktop\RBLXHUBLauncher.exe

explorer.exe

User:

admin

Company:

RBLXHub

Integrity Level:

MEDIUM

Description:

RBLXHub Launcher

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\rblxhublauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2132

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" start-process -verb runas 'cmd.exe' -argumentlist ' /c echo. && echo 127.0.0.1 rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 www.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 api.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 assetgame.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 assetdelivery.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && echo 127.0.0.1 clientsettingscdn.rbolock.tk >>c:\Windows\System32\Drivers\etc\hosts && pause '

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

RBLXHUBLauncher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3848

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4324

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6308

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6480

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

92 425

Read events

92 384

Write events

Delete events

Modification events


(PID) Process:	(396) RBLXHUBLauncher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(396) RBLXHUBLauncher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(396) RBLXHUBLauncher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(396) RBLXHUBLauncher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2132) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2132) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2132) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2132) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(396) RBLXHUBLauncher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(396) RBLXHUBLauncher.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

Suspicious files

229

Text files

1 186

Unknown types

Dropped files

PID	Process	Filename		Type
2132	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:88A9811FC2E7C0A50D13BD39D4D1E520	SHA256:74CB2D34A50D69D3B35F3C1FFA5D05E47ADB146D8B5BDF2A5528393A7F474991
2124	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\9DD1.tmp		text
		MD5:E7E0EB910010158BACA2A4AE1A3E6D0F	SHA256:B82279FE411ACFBB7E7039D2170424A892842DBACD01612066ABC717CDB76949
2124	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\A382.tmp		ini
		MD5:88643CA5D632E70DB63F0F4D031A24FD	SHA256:08905CA14E493537734C5FF18B487ECABA9A110834262887C217359D96CE9287
2124	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\A248.tmp		text
		MD5:2857A79A2BA970C716E280F7D5C3EF1E	SHA256:313DB37144EDCB97404159BD46A242C15808F6C134F9D18259EFF7354471425C
2124	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\A4BB.tmp		ini
		MD5:6524DE163B4C761317C86091A43E6220	SHA256:75847167AD40DE6329BDE85C2E277417A33BEDC2F7B13F6D4F25643C3A65B0B0
2132	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6KWQN54FMHT6LHSX3CG.temp		binary
		MD5:88A9811FC2E7C0A50D13BD39D4D1E520	SHA256:74CB2D34A50D69D3B35F3C1FFA5D05E47ADB146D8B5BDF2A5528393A7F474991
2124	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\9B5E.tmp		ini
		MD5:C6DBFAF3F4D59FD6C17E7623C9C3FE84	SHA256:D3DB4EE3A2400602AF1F24845F0DFBADFFCF35AEDB6D3DEF1F3975AA9920F717
396	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\4A70.tmp		ini
		MD5:CF6E4FD4C1E5289840C345D61CE87D3D	SHA256:338EB529238055483789ADEF0818143EB0166E2C118B40938FCF1A13FF58D1FF
2124	RBLXHUBLauncher.exe	C:\Users\admin\AppData\Local\Temp\A72E.tmp		ini
		MD5:3D92FE80529FD58173E248D6376EDC99	SHA256:52F14CC77C4F9C2BEF8376BC7E2370240CD2EBD0E891CF17105F08C9E2AB634F
2132	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:289B1B0F266DEAD61B3B7459AFBBDA0A	SHA256:2C083A6A6ED19F559E5BE583CA1D505CF79C466C4719127CF5293D539D00CD60

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
396	RBLXHUBLauncher.exe	GET	200	188.114.96.3:80	http://rblxhubdeploytest.rand744.nl/latestver	unknown	—	—	whitelisted
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
396	RBLXHUBLauncher.exe	GET	200	188.114.96.3:80	http://rblxhubdeploytest.rand744.nl/ver2-requiredupdates	unknown	—	—	whitelisted
1256	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
396	RBLXHUBLauncher.exe	GET	200	188.114.96.3:80	http://rblxhubdeploytest.rand744.nl/ver3-requiredupdates	unknown	—	—	whitelisted
4132	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
2124	RBLXHUBLauncher.exe	GET	200	188.114.96.3:80	http://rblxhubdeploytest.rand744.nl/latestver	unknown	—	—	whitelisted
2124	RBLXHUBLauncher.exe	GET	200	188.114.96.3:80	http://rblxhubdeploytest.rand744.nl/ver2-requiredupdates	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
1028	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	2.20.142.145:443	www.bing.com	Akamai International B.V.	DE	unknown
6012	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1272	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2616	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1044	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6480	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 51.124.78.146	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	2.20.142.145 2.20.143.112 2.20.142.179 2.20.142.139 2.20.142.181 2.20.142.182 2.20.142.178 2.20.142.123 2.20.142.147	whitelisted
google.com	142.250.184.206	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.60	whitelisted
login.live.com	40.126.32.136 20.190.160.14 40.126.32.68 40.126.32.74 20.190.160.22 40.126.32.72 20.190.160.17 40.126.32.134	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.103.199 40.113.110.67	whitelisted
fd.api.iris.microsoft.com	20.31.169.57 20.199.58.43	whitelisted

Threats

PID	Process	Class	Message
396	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
396	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
396	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
396	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
396	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2124	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2124	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2124	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2124	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2124	RBLXHUBLauncher.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

Add for printing

No debug info

General Info

RBLXHUBLauncher.exe

B4463809F314A236C031C5005CF88D2F

75CACA1A36410CA730D1DB7A51EEFD2AAA20684A

EB58958B80E3E519339B125AC0B294911566E1636D0E167116E7971650CF9DD1

49152:0PPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtpjXi:+P/mp7t3T4+B/btosJwIA4hHmZlKH2Ts

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Modifies hosts file to block updates

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Powershell scripting: start process

Starts POWERSHELL.EXE for commands execution

Found IP address in command line

Starts CMD.EXE for commands execution

Potential Corporate Privacy Violation

INFO

Reads mouse settings

Reads the computer name

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

Checks supported languages

Create files in a temporary directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings