File name: | RobloxPlayerLauncher.exe |
Full analysis: | https://app.any.run/tasks/b8f7c2e6-b0c8-43a6-8883-e5f900b267d5 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 08:44:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 791E080FD687B3608AA1467879D10E6A |
SHA1: | 6AFF2C0930E4F407F1E3ABE3D84606572F6D0FE0 |
SHA256: | FD817357BECEA1D4621EAAEB2A87DAA920B634DF9C54849FDF45AFE5D080B702 |
SSDEEP: | 24576:lCtT7CT0eXTAsUFKXi5v0OBRRrUG4rsw/W8AMtCTZ8LxZpd3g7MBQDPKdAGM8TX2:svVGTAsqKUnBfrUG4rTPAMkTZ8LxZpdw |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
ProductVersion: | 1, 6, 3, 311600 |
---|---|
ProductName: | Roblox Bootstrapper |
OriginalFileName: | Roblox.exe |
LegalCopyright: | Copyright © 2019 Roblox Corporation. All rights reserved. |
FileVersion: | 1, 6, 3, 311600 |
FileDescription: | Roblox |
CompanyName: | Roblox Corporation |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 1.6.3.49456 |
FileVersionNumber: | 1.6.3.49456 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x5b2d3 |
UninitializedDataSize: | - |
InitializedDataSize: | 745984 |
CodeSize: | 848896 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:06:13 23:45:42+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Jun-2019 21:45:42 |
Detected languages: |
|
TLS Callbacks: | 1 callback(s) detected. |
Debug artifacts: |
|
CompanyName: | Roblox Corporation |
FileDescription: | Roblox |
FileVersion: | 1, 6, 3, 311600 |
LegalCopyright: | Copyright © 2019 Roblox Corporation. All rights reserved. |
OriginalFilename: | Roblox.exe |
ProductName: | Roblox Bootstrapper |
ProductVersion: | 1, 6, 3, 311600 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000140 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 13-Jun-2019 21:45:42 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000CF37A | 0x000CF400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.63135 |
.rdata | 0x000D1000 | 0x00043B92 | 0x00043C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.74112 |
.data | 0x00115000 | 0x000562E0 | 0x00004A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.73221 |
.tls | 0x0016C000 | 0x0000000D | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.gfids | 0x0016D000 | 0x00000188 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.41239 |
CPADinfo( | 0x0016E000 | 0x00000028 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.122276 |
.rsrc | 0x0016F000 | 0x00010B18 | 0x00010C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.07249 |
.reloc | 0x00180000 | 0x0000AF10 | 0x0000B000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64089 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.33374 | 1070 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 2.59712 | 62 | UNKNOWN | Process Default Language | RT_GROUP_ICON |
3 | 3.02768 | 9640 | UNKNOWN | Process Default Language | RT_ICON |
4 | 7.90744 | 7216 | UNKNOWN | Process Default Language | RT_ICON |
7 | 3.38178 | 488 | UNKNOWN | Portuguese - Brazil | RT_STRING |
8 | 3.32834 | 602 | UNKNOWN | Portuguese - Brazil | RT_STRING |
130 | 3.12907 | 254 | UNKNOWN | Process Default Language | RT_DIALOG |
131 | 2 | 8 | UNKNOWN | Process Default Language | RT_ACCELERATOR |
157 | 7.30906 | 665 | UNKNOWN | Process Default Language | PNG |
158 | 7.56743 | 818 | UNKNOWN | Process Default Language | PNG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
POWRPROF.dll |
PSAPI.DLL |
SHELL32.dll |
SHLWAPI.dll |
SensApi.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3468 | "C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.exe" | C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.exe | explorer.exe | |
User: admin Company: Roblox Corporation Integrity Level: MEDIUM Description: Roblox Exit code: 0 Version: 1, 6, 3, 311600 | ||||
3544 | C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x558,0x55c,0x560,0x554,0x568,0x4eb1dc,0x4eb1ec,0x4eb1fc | C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.exe | RobloxPlayerLauncher.exe | |
User: admin Company: Roblox Corporation Integrity Level: MEDIUM Description: Roblox Exit code: 0 Version: 1, 6, 3, 311600 | ||||
1708 | "C:\Users\admin\AppData\Local\Temp\RBX-3F95A26A\RobloxPlayerLauncher.exe" | C:\Users\admin\AppData\Local\Temp\RBX-3F95A26A\RobloxPlayerLauncher.exe | RobloxPlayerLauncher.exe | |
User: admin Company: Roblox Corporation Integrity Level: MEDIUM Description: Roblox Version: 1, 6, 3, 319623 | ||||
1656 | C:\Users\admin\AppData\Local\Temp\RBX-3F95A26A\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x568,0x56c,0x570,0x564,0x578,0x29a184,0x29a194,0x29a1a4 | C:\Users\admin\AppData\Local\Temp\RBX-3F95A26A\RobloxPlayerLauncher.exe | RobloxPlayerLauncher.exe | |
User: admin Company: Roblox Corporation Integrity Level: MEDIUM Description: Roblox Version: 1, 6, 3, 319623 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3468 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@roblox[1].txt | — | |
MD5:— | SHA256:— | |||
1708 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Roblox\Downloads\6e3020d76107ac20a1d2a6a9fea1ab45.part | — | |
MD5:— | SHA256:— | |||
1708 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Roblox\Downloads\a869c62298ae29ad891fd10a2e8f9288.part | — | |
MD5:— | SHA256:— | |||
1708 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Roblox\Downloads\12dbe83c9ef3ebe379e8777fba22b092.part | — | |
MD5:— | SHA256:— | |||
1708 | RobloxPlayerLauncher.exe | C:\Users\admin\Desktop\Roblox Studio.lnk | lnk | |
MD5:7F39DE33783B509A4C076F6D0DF3C9B7 | SHA256:0198F66DE13CA972661E97966FE8DA37FAFD1A589B7278B4465C795901E0DEE6 | |||
3468 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\application[1] | text | |
MD5:CE93FF6C69727F3F1E81B1FE98002EC0 | SHA256:3A3DAB60915E3992EE83308E297CF46BC4ECD9556DC1DD8844356FD98C39614D | |||
3468 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Temp\RBX-12CD696F.log | text | |
MD5:5ACFBE4629EC1AB28C2C9E5AEDEB82BC | SHA256:06E66E43066CD2DB7FC435C84143E8D4CB8DEE036884CB86F705D932746EFFFF | |||
1656 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\application[1] | text | |
MD5:CE93FF6C69727F3F1E81B1FE98002EC0 | SHA256:3A3DAB60915E3992EE83308E297CF46BC4ECD9556DC1DD8844356FD98C39614D | |||
1708 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox\Roblox Studio.lnk | lnk | |
MD5:726B88C0CFB44A4ED470245EA97B2E65 | SHA256:7DD8CA504D60B18BFE588BB05AE88074F5E8026F6B8742F1971DB1391DC91406 | |||
1708 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\application[1] | text | |
MD5:CE93FF6C69727F3F1E81B1FE98002EC0 | SHA256:3A3DAB60915E3992EE83308E297CF46BC4ECD9556DC1DD8844356FD98C39614D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1708 | RobloxPlayerLauncher.exe | 209.206.41.229:443 | www.roblox.com | Roblox | US | suspicious |
3544 | RobloxPlayerLauncher.exe | 104.109.74.223:443 | clientsettingscdn.roblox.com | Akamai International B.V. | NL | whitelisted |
1708 | RobloxPlayerLauncher.exe | 209.206.41.152:443 | ephemeralcounters.api.roblox.com | Roblox | US | suspicious |
3544 | RobloxPlayerLauncher.exe | 209.206.41.152:443 | ephemeralcounters.api.roblox.com | Roblox | US | suspicious |
3468 | RobloxPlayerLauncher.exe | 209.206.41.229:443 | www.roblox.com | Roblox | US | suspicious |
3468 | RobloxPlayerLauncher.exe | 2.18.233.109:443 | setup.rbxcdn.com | Akamai International B.V. | — | whitelisted |
1656 | RobloxPlayerLauncher.exe | 209.206.41.152:443 | ephemeralcounters.api.roblox.com | Roblox | US | suspicious |
3468 | RobloxPlayerLauncher.exe | 209.206.41.152:443 | ephemeralcounters.api.roblox.com | Roblox | US | suspicious |
3468 | RobloxPlayerLauncher.exe | 104.109.74.223:443 | clientsettingscdn.roblox.com | Akamai International B.V. | NL | whitelisted |
1656 | RobloxPlayerLauncher.exe | 104.109.74.223:443 | clientsettingscdn.roblox.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
clientsettingscdn.roblox.com |
| whitelisted |
ephemeralcounters.api.roblox.com |
| whitelisted |
www.roblox.com |
| whitelisted |
setup.rbxcdn.com |
| whitelisted |