Play interactive tourEdit tour

Windows Analysis Report RobloxPlayerBeta.exe

Overview

General Information

Sample Name:RobloxPlayerBeta.exe
Analysis ID:464540
MD5:710d9b62fb4a44ada297c90890d655eb
SHA1:0e6459ba901763b1d644924a74e807c75224b0fd
SHA256:df7eeecca08052d1a779af121c975fc7e67e45589a55037f8bf7833c42532a59
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected VMProtect packer
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Entry point lies outside standard sections
Installs a raw input device (often for capturing keystrokes)
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • RobloxPlayerBeta.exe (PID: 5752 cmdline: 'C:\Users\user\Desktop\RobloxPlayerBeta.exe' MD5: 710D9B62FB4A44ADA297C90890D655EB)
    • WerFault.exe (PID: 384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 800 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: RobloxPlayerBeta.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: RobloxPlayerBeta.exeStatic PE information: certificate valid
Source: RobloxPlayerBeta.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: BrowserServiceForAllPlatformsBrowserServiceDiagnosewechatauthTencentAuthPathSendCommandCloseBrowserWindowOpenWeChatAuthWindowOpenBrowserWindowparamscallbackIdjavascriptExecuteJavaScriptmoduleNameEmitHybridEventReturnToJavaScripteventNameBrowserWindowClosedBrowserWindowWillNavigateOpenNativeOverlayCopyAuthCookieFromBrowserToEngineUnknown platformJavaScriptCallbackAuthCookieCopiedToEngined631f3d9-fce0-4711-8cf4-6f9a9756638b[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::openWeChatAuthWindow[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::onServiceProviderwww.youtube.com[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::openBrowserWindow %sBrowserService::OpenBrowserWindow() was called on not a client (use local scripts on this call).[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::sendCommand %s/watchBrowserService::OpenBrowserWindow() was called on non-whitelisted url.[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::openNativeOverlay[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::closeBrowserWindowBrowserService::OpenNativeOverlay() was called on not a client (use local scripts on this call).[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::executeJavaScript %sBrowserService::OpenNativeOverlay() was called on non-Roblox url.if (window.Roblox.Hybrid && window.Roblox.Hybrid.Bridge.nativeCallback && typeof window.Roblox.Hybrid.Bridge.nativeCallback === "function") { window.Roblox.Hybrid.Bridge.nativeCallback('%s', %s, %s); }[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::returnToJavaScript %sif (window.Roblox.Hybrid && window.Roblox.Hybrid.Bridge.emitEvent && typeof window.Roblox.Hybrid.Bridge.emitEvent === "function") { window.Roblox.Hybrid.Bridge.emitEvent('%s', '%s', %s); }BrowserService[FLog::BrowserServiceDiagnose] BrowserServiceDiagnose BrowserService::emitHybridEvent %s, %s, %s equals www.youtube.com (Youtube)
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: http://100.20.191.133:8086
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://100.20.191.133:8086TelegrafHTTPTransportUrlPointsListMaxDataSizeSessionCountIntervalSecondsAl
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://127.0.0.1:8001
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: http://35.155.141.13:8086
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: http://35.155.141.13:8086ss
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://assetdelivery.roblox.com/v1/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://assetdelivery.roblox.qq.com/v1/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://assetgame.roblox.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://assetgame.roblox.qq.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: http://test.public.ecs.roblox.com/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com%s/asset/?id=%skeyframeSequenceRegisterActiveKeyframeSequenceRegisterKeyframeSe
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com)
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com)ProbeHttpRequestsPerMinuteLimitZeroProbeHttpRequestsPerMinuteLimitMultProbeHtt
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com/roblox.xsd
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.com/roblox.xsdSerializer::loadInstances
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.qq.com/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.roblox.qq.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cnhttp://www.webrtc.org/experiments/rtp-hdrext/v
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensionhttp://www.we
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://assetdelivery.roblox.com/v1/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://assetdelivery.roblox.com/v1/asset/?id=http://assetdelivery.roblox.com/v1/asset/?id=https://a
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://assetdelivery.roblox.qq.com/v1/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://assetgame.roblox.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://assetgame.roblox.qq.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://c0ak.rbxcdn.com/test-50kb.png
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://c0cfly.rbxcdn.com/test-50kb.png
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://c0hw.rbxcdn.com/test-50kb.png
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://c0ll.rbxcdn.com/test-50kb.png
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://client-telemetry.roblox.com
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://crbug.com/1053756
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://developer.roblox.com/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://developer.roblox.com/ToolMouseCommand
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://devforum.roblox.com/t/deprecating-text-filtering-from-localscripts/46403
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us/articles/203312910?fromStudio=true
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: https://upload.crashes.rbxinfra.com/post?
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: https://upload.crashes.rbxinfra.com/post?format=minidump
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://upload.crashes.rbxinfra.com/post?format=minidumpCrashUploadToBacktraceWindowsRCCToken82fc562
Source: RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpString found in binary or memory: https://upload.crashes.rbxinfra.com/post?format=minidumppu
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.google-analytics.com/collect
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.google-analytics.com/collecthttp://test.public.ecs.roblox.com/RobloxAnalyticsSubDomainDe
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/drivers
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/games/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/games/shaders_Screen
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/games/start?
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.com/search/users?keyword=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.qq.com/
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpString found in binary or memory: https://www.roblox.qq.com/asset/?id=
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpBinary or memory string: [FLog::WinRawInput] GetRawInputData returned buffer of size %f, while we expected size of %f

System Summary:

barindex
Detected VMProtect packer
Source: RobloxPlayerBeta.exeStatic PE information: .vmp0 and .vmp1 section names
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 800
Source: RobloxPlayerBeta.exeStatic PE information: Number of sections : 12 > 10
Source: RobloxPlayerBeta.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RobloxPlayerBeta.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RobloxPlayerBeta.exe, 00000000.00000000.222948976.0000000004CD7000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRobloxApp.exe. vs RobloxPlayerBeta.exe
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpBinary or memory string: Comments\StringFileInfo\%04x%04x\%s\VarFileInfo\TranslationLegalCopyrightCompanyNameProductNameInternalNamePrivateBuildLegalTrademarksFileDescriptionProductVersionSpecialBuildOriginalFilenameFileVersion$gp vs RobloxPlayerBeta.exe
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeSection loaded: bcrypt.dllJump to behavior
Source: RobloxPlayerBeta.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: classification engineClassification label: mal56.evad.winEXE@2/4@0/0
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeFile created: C:\Users\user\AppData\Local\RobloxJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5752
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7057.tmpJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\RobloxPlayerBeta.exe 'C:\Users\user\Desktop\RobloxPlayerBeta.exe'
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 800
Source: RobloxPlayerBeta.exeStatic PE information: certificate valid
Source: RobloxPlayerBeta.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: RobloxPlayerBeta.exeStatic file information: File size 43335640 > 1048576
Source: RobloxPlayerBeta.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bb4200
Source: RobloxPlayerBeta.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0xc5a000
Source: RobloxPlayerBeta.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: RobloxPlayerBeta.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: RobloxPlayerBeta.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RobloxPlayerBeta.exeStatic PE information: 0x973ACCFF [Thu May 26 21:26:23 2050 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: RobloxPlayerBeta.exeStatic PE information: real checksum: 0x295b736 should be:
Source: RobloxPlayerBeta.exeStatic PE information: section name: .zero
Source: RobloxPlayerBeta.exeStatic PE information: section name: .rodata
Source: RobloxPlayerBeta.exeStatic PE information: section name: .vmpx
Source: RobloxPlayerBeta.exeStatic PE information: section name: rbxi
Source: RobloxPlayerBeta.exeStatic PE information: section name: _RDATA
Source: RobloxPlayerBeta.exeStatic PE information: section name: .vmp0
Source: RobloxPlayerBeta.exeStatic PE information: section name: .vmp1

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 9E0005 value: E9 FB BF 44 77 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 77E2C000 value: E9 0A 40 BB 88 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: B50008 value: E9 AB E0 31 77 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 77E6E0B0 value: E9 60 1F CE 88 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: B80005 value: E9 CB 5A 89 76 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 77415AD0 value: E9 3A A5 76 89 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: B90005 value: E9 5B B0 8A 76 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 7743B060 value: E9 AA 4F 75 89 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: BA0005 value: E9 DB F8 64 74 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 751EF8E0 value: E9 2A 07 9B 8B Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: BB0005 value: E9 FB 42 66 74 Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeMemory written: PID: 5752 base: 75214300 value: E9 0A BD 99 8B Jump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RobloxPlayerBeta.exe, 00000000.00000000.242398610.0000000003D46000.00000020.00020000.sdmpBinary or memory string: ISBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeRDTSC instruction interceptor: First address: 00000000041F732A second address: 00000000041F7337 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 push esp 0x00000004 cbw 0x00000006 inc esp 0x00000007 movsx ebx, si 0x0000000a cdq 0x0000000b inc ecx 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeRDTSC instruction interceptor: First address: 0000000004081D9A second address: 0000000004081DA0 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 sar esp, cl 0x00000005 popfd 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeRDTSC instruction interceptor: First address: 0000000004081DA0 second address: 0000000004081DB6 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 pop edi 0x00000005 dec eax 0x00000006 movzx ebx, ax 0x00000009 inc bp 0x0000000b movsx ebp, cl 0x0000000e inc ecx 0x0000000f pop esi 0x00000010 dec eax 0x00000011 cdq 0x00000012 not dl 0x00000014 inc ecx 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeRDTSC instruction interceptor: First address: 0000000004081DB6 second address: 0000000004081DDE instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 arpl cx, dx 0x00000005 inc bp 0x00000007 movzx ecx, ah 0x0000000a inc ecx 0x0000000b pop edx 0x0000000c inc ecx 0x0000000d pop esp 0x0000000e cbw 0x00000010 inc cx 0x00000012 movzx ecx, ch 0x00000015 inc sp 0x00000017 movsx ebx, ch 0x0000001a pop ebx 0x0000001b dec ebp 0x0000001c arpl sp, ax 0x0000001e inc sp 0x00000020 movsx ebp, cl 0x00000023 inc ebp 0x00000024 mov ch, bh 0x00000026 inc ecx 0x00000027 pop ecx 0x00000028 rdtsc
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpBinary or memory string: VMnet
Source: RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpBinary or memory string: WebRTC-UseDifferentiatedCellularCostsNet[:id=C:\teamcity-agent\work\ci_deploy_nbsninja_client-x86\Client\ThirdParty\webrtc\src\rtc_base\network.ccToo many network interfaces to handle!Network change was observedVMnetNetworkManager detected networks:, active ? , Ignoredrtc::BasicNetworkManager::StartUpdatingSocket creation failedConnect failed with rtc::BasicNetworkManager::UpdateNetworksContinually
Source: RobloxPlayerBeta.exe, 00000000.00000000.233031994.0000000000BE5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\RobloxPlayerBeta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Masquerading1Credential API Hooking1Security Software Discovery211Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1Input Capture11Virtualization/Sandbox Evasion1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464540 Sample: RobloxPlayerBeta.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 56 11 Detected VMProtect packer 2->11 13 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->13 6 RobloxPlayerBeta.exe 9 2->6         started        process3 signatures4 15 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->15 17 Tries to detect virtualization through RDTSC time measurements 6->17 9 WerFault.exe 23 9 6->9         started        process5

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
SourceDetectionScannerLabelLink
RobloxPlayerBeta.exe0%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://upload.crashes.rbxinfra.com/post?0%Avira URL Cloudsafe
http://127.0.0.1:80010%VirustotalBrowse
http://127.0.0.1:80010%Avira URL Cloudsafe
https://crbug.com/10537560%VirustotalBrowse
https://crbug.com/10537560%Avira URL Cloudsafe
http://www.roblox.com%s/asset/?id=%skeyframeSequenceRegisterActiveKeyframeSequenceRegisterKeyframeSe0%Avira URL Cloudsafe
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension0%Avira URL Cloudsafe
http://100.20.191.133:80860%Avira URL Cloudsafe
http://100.20.191.133:8086TelegrafHTTPTransportUrlPointsListMaxDataSizeSessionCountIntervalSecondsAl0%Avira URL Cloudsafe
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensionhttp://www.we0%Avira URL Cloudsafe
http://35.155.141.13:8086ss0%Avira URL Cloudsafe
https://upload.crashes.rbxinfra.com/post?format=minidump0%Avira URL Cloudsafe
https://upload.crashes.rbxinfra.com/post?format=minidumppu0%Avira URL Cloudsafe
https://upload.crashes.rbxinfra.com/post?format=minidumpCrashUploadToBacktraceWindowsRCCToken82fc5620%Avira URL Cloudsafe
http://www.roblox.com)ProbeHttpRequestsPerMinuteLimitZeroProbeHttpRequestsPerMinuteLimitMultProbeHtt0%Avira URL Cloudsafe
http://35.155.141.13:80860%Avira URL Cloudsafe
http://www.roblox.com)0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://en.help.roblox.com/hc/en-us/articles/203312910?fromStudio=trueRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
    high
    https://www.roblox.com/RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
      high
      https://upload.crashes.rbxinfra.com/post?RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://www.roblox.com/games/RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
        high
        http://127.0.0.1:8001RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        https://assetdelivery.roblox.com/v1/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
          high
          https://assetgame.roblox.qq.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
            high
            https://crbug.com/1053756RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://www.roblox.com%s/asset/?id=%skeyframeSequenceRegisterActiveKeyframeSequenceRegisterKeyframeSeRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
            • Avira URL Cloud: safe
            low
            https://www.roblox.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
              high
              http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                high
                https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensionRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://assetdelivery.roblox.qq.com/v1/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                  high
                  http://100.20.191.133:8086RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://c0ll.rbxcdn.com/test-50kb.pngRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                    high
                    https://curl.haxx.se/docs/http-cookies.htmlRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                      high
                      http://100.20.191.133:8086TelegrafHTTPTransportUrlPointsListMaxDataSizeSessionCountIntervalSecondsAlRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://assetgame.roblox.qq.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                        high
                        http://assetdelivery.roblox.qq.com/v1/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                          high
                          http://test.public.ecs.roblox.com/RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
                            high
                            https://client-telemetry.roblox.comRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                              high
                              https://www.roblox.qq.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                high
                                https://assetgame.roblox.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                  high
                                  https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensionhttp://www.weRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.roblox.qq.com/RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                    high
                                    http://35.155.141.13:8086ssRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    low
                                    https://upload.crashes.rbxinfra.com/post?format=minidumpRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://assetdelivery.roblox.com/v1/asset/?id=http://assetdelivery.roblox.com/v1/asset/?id=https://aRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                      high
                                      https://c0hw.rbxcdn.com/test-50kb.pngRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                        high
                                        https://upload.crashes.rbxinfra.com/post?format=minidumppuRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.roblox.com/RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                          high
                                          https://upload.crashes.rbxinfra.com/post?format=minidumpCrashUploadToBacktraceWindowsRCCToken82fc562RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.roblox.comRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                            high
                                            https://developer.roblox.com/RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                              high
                                              http://www.roblox.com)ProbeHttpRequestsPerMinuteLimitZeroProbeHttpRequestsPerMinuteLimitMultProbeHttRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              low
                                              http://www.roblox.com/roblox.xsdSerializer::loadInstancesRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                high
                                                http://assetdelivery.roblox.com/v1/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                  high
                                                  https://www.roblox.qq.com/RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                    high
                                                    http://www.roblox.qq.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                      high
                                                      https://developer.roblox.com/ToolMouseCommandRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                        high
                                                        http://assetgame.roblox.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                          high
                                                          https://c0ak.rbxcdn.com/test-50kb.pngRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                            high
                                                            http://www.roblox.com/roblox.xsdRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                              high
                                                              http://www.roblox.com/asset/?id=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                high
                                                                https://www.roblox.com/driversRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                  high
                                                                  http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                    high
                                                                    https://www.roblox.com/games/start?RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                      high
                                                                      https://c0cfly.rbxcdn.com/test-50kb.pngRobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmp, RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                        high
                                                                        https://www.roblox.com/games/shaders_ScreenRobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                          high
                                                                          https://www.roblox.com/search/users?keyword=RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                            high
                                                                            http://35.155.141.13:8086RobloxPlayerBeta.exe, 00000000.00000000.233047240.0000000000C08000.00000004.00000020.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://www.roblox.com)RobloxPlayerBeta.exe, 00000000.00000000.241598206.0000000003470000.00000002.00020000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            low
                                                                            No contacted IP infos

                                                                            General Information

                                                                            Joe Sandbox Version:33.0.0 White Diamond
                                                                            Analysis ID:464540
                                                                            Start date:13.08.2021
                                                                            Start time:03:37:38
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 5m 16s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Sample file name:RobloxPlayerBeta.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:29
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal56.evad.winEXE@2/4@0/0
                                                                            EGA Information:Failed
                                                                            HDC Information:Failed
                                                                            HCA Information:Failed
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                            • Excluded IPs from analysis (whitelisted): 52.182.143.212, 52.168.117.173, 23.211.6.115, 204.79.197.200, 13.107.21.200, 20.82.209.183, 23.211.4.86, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.50.102.62, 80.67.82.211, 80.67.82.235
                                                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            TimeTypeDescription
                                                                            03:38:51API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                            No context
                                                                            No context
                                                                            No context
                                                                            No context
                                                                            No context
                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_RobloxPlayerBeta_d5f49672be7739705eeaceda149751c314a11e_4e467e27_01e4797f\Report.wer
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):13616
                                                                            Entropy (8bit):3.769994155026186
                                                                            Encrypted:false
                                                                            SSDEEP:192:H/3d5XZ8+MIH951JjRnJFD/u7sSS274It52:H/3TJPp951Jjh/u7sSX4It52
                                                                            MD5:9DEACDCC23552EDC96D82DDBFC625EC9
                                                                            SHA1:411E61ED46700BB83A1A1429DFF3FF795945B939
                                                                            SHA-256:21FC54FEE7FB07825044D04DB6ED2774E9138EEC5F2CA5F9050DA287A2BF6824
                                                                            SHA-512:6D44A13AE32646F7FE8C074E36A85DE7AEC824F421B86B3C8EAAB19319259ED82835F964D9379E2E4806DCBB57AC8ADA8D70441EF6150E8C456356CB5B01F06F
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.3.3.2.4.7.2.8.8.8.9.3.6.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.3.3.2.4.7.2.9.8.3.9.3.6.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.a.f.4.1.9.c.-.1.f.3.d.-.4.f.1.b.-.a.2.a.2.-.9.9.7.0.d.c.4.6.b.7.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.a.7.6.0.2.5.-.b.a.9.e.-.4.2.e.d.-.8.c.d.d.-.1.6.d.d.2.e.f.f.e.4.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.o.b.l.o.x.P.l.a.y.e.r.B.e.t.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.o.b.l.o.x.A.p.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.8.-.0.0.0.1.-.0.0.1.7.-.4.f.f.b.-.d.b.5.7.2.f.9.0.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.3.c.a.7.c.8.6.6.a.a.2.d.0.8.4.3.2.8.3.e.1.8.7.d.c.f.2.f.e.c.e.0.0.0.0.0.9.0.4.!.0.0.0.0.2.3.c.8.2.0.b.4.d.a.0.b.3.8.9.8.b.7.e.3.d.8.8.6.3.c.b.5.c.9.
                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7057.tmp.dmp
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Fri Aug 13 10:38:49 2021, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):63538
                                                                            Entropy (8bit):2.2917492500178267
                                                                            Encrypted:false
                                                                            SSDEEP:192:ZLpSHAbqj9llhRNRV1vL/qtI7aovoDPr2NKy6dTyKwLfmt2UeZp+y3IMMBFIqtKX:jSgeR1vOK7xgKNgyKtheZp+OIFB+Y5u
                                                                            MD5:48AAD875428A5B1687532B54243E3B29
                                                                            SHA1:7FF376241DA5D2084C438CF6CEC9D32FE29FDE76
                                                                            SHA-256:CE48E640214C7BDE7CD1C0FA5534220D9F5F8D0226CB7DFCB4446B8F73791EE6
                                                                            SHA-512:A3733CA8D02E9513E7396731FE3F73B7C22FB7D6184B5F0F3C3B5A3F4D19CACC061ABE25946361E8A724B59C6F84025C11A7D64B638A0683F292651F193DB87C
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: MDMP....... ........K.a...................U...........B......h#......GenuineIntelW...........T.......x....K.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER72D9.tmp.WERInternalMetadata.xml
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8446
                                                                            Entropy (8bit):3.695613808776714
                                                                            Encrypted:false
                                                                            SSDEEP:192:Rrl7r3GLNipB6AS6YS7SUpNTCEgmftSyCpDo89b2dsf/ym:RrlsNi/6N6YOSUTTCEgmftSn2Wf7
                                                                            MD5:201C91FD74D01DCA7224B9C32FC03A7C
                                                                            SHA1:6E50C63ED2C9D3B65941C8B5E763D1920D000285
                                                                            SHA-256:545525FB4268C95651BC6C7A5AD7CAAB6B23BC544E8B66284F20C86D8F6C9A3B
                                                                            SHA-512:248558E4455944A1FAFFFD94FC51BB058C1DAC7D4A878E6D39AE215BD0F8C6A33B4784C6E64897CF0C253D1641A9B048653EEBDDEB72F55AF4CE1CF1A1755CB7
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.5.2.<./.P.i.d.>.......
                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER73A5.tmp.xml
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4800
                                                                            Entropy (8bit):4.477425712209682
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwSD8zsLJgtWI9gJ8RWSC8B+8fm8M4J+wfTlwFo/+q8vTfTlzvI5sH8kFwqF8V:uITflbJ8ASNlJ+wbV/KTbZI5iFwqF4d
                                                                            MD5:7AC36B501A5975A4B3775C48ABA0DFF4
                                                                            SHA1:B30B2D69F25AC8B4ED073E194EC9B1D8627F53DF
                                                                            SHA-256:D98AFD3BE307ECED38B2AFD31F6AF9D278B386AACD4DA3EA3A7AFA71D41664AD
                                                                            SHA-512:C0D6BC1760D52712767713DBAFBBFC42D05EFDA07973B6D39219735C54232918EEB16CB86C3C6A891BBE316AE7CD60D14C25D706F4B2646A8F8D18FAE745B751
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1120069" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.298572110312639
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:RobloxPlayerBeta.exe
                                                                            File size:43335640
                                                                            MD5:710d9b62fb4a44ada297c90890d655eb
                                                                            SHA1:0e6459ba901763b1d644924a74e807c75224b0fd
                                                                            SHA256:df7eeecca08052d1a779af121c975fc7e67e45589a55037f8bf7833c42532a59
                                                                            SHA512:e5cf0fb34732c7084a181ec228c068ac1686b073f7d234dc6a6af7a2a5884c1b67c80a79f4fe5ed6be44fa21b107b11f3bff120cc25551b66af35e075b930868
                                                                            SSDEEP:786432:u/j5asOcuT4Mymj+Q3Ukn+tbU9AUP03Yy0ZzsnW4mh7je6ySzWwi/6gn4LNFg3/g:bsOHT4Mymj+Q3Ukn+tbU9AUP0IyQzsn+
                                                                            File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......l.._(...(...(...<.......<........R[.....z.......z.......z.......<...)...<...i...........<...-.......*...........(.......3o6.)..

                                                                            File Icon

                                                                            Icon Hash:7ce080cccedae0c0

                                                                            General

                                                                            Entrypoint:0x412a878
                                                                            Entrypoint Section:.vmp1
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x973ACCFF [Thu May 26 21:26:23 2050 UTC]
                                                                            TLS Callbacks:0x36ae54e, 0x1df15f9, 0x6133e0, 0x1df1677, 0x613410
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:6
                                                                            OS Version Minor:0
                                                                            File Version Major:6
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:6
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:29e6bd1835aaef096c5c7af6684f0731
                                                                            Signature Valid:true
                                                                            Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
                                                                            Signature Validation Error:The operation completed successfully
                                                                            Error Number:0
                                                                            Not Before, Not After
                                                                            • 7/12/2019 5:00:00 PM 7/12/2022 4:59:59 PM
                                                                            Subject Chain
                                                                            • CN=Roblox Corporation, O=Roblox Corporation, L=San Mateo, S=California, C=US
                                                                            Version:3
                                                                            Thumbprint MD5:5C460FB7E07674686CB93C2A036450FE
                                                                            Thumbprint SHA-1:6650B1AB4BEEBA75501A7A8C2EB177388E890802
                                                                            Thumbprint SHA-256:42A4E28E18BF52D6376334F6458BD9B3A0F459A0103776AC0FA041965C96164C
                                                                            Serial:7A0BAB6C70F0A1288099F77CB3C3C1AA
                                                                            Instruction
                                                                            push 758A51E7h
                                                                            call 00007FEE9823085Dh
                                                                            add ebp, ecx
                                                                            jmp 00007FEE982197C9h
                                                                            test di, di
                                                                            xor bx, cx
                                                                            clc
                                                                            lea ebp, dword ptr [ebp-00000002h]
                                                                            mov word ptr [ebp+00h], cx
                                                                            bt ecx, ecx
                                                                            mov ecx, dword ptr [esi]
                                                                            lea esi, dword ptr [esi+00000004h]
                                                                            stc
                                                                            test esp, 69286055h
                                                                            cmc
                                                                            xor ecx, ebx
                                                                            stc
                                                                            ror ecx, 03h
                                                                            jmp 00007FEE985CA06Fh
                                                                            rol ecx, 1
                                                                            cmp bl, FFFFFFBBh
                                                                            test si, di
                                                                            sub ecx, 349A48CAh
                                                                            stc
                                                                            bswap ecx
                                                                            neg ecx
                                                                            lea ecx, dword ptr [ecx+190F3435h]
                                                                            cmp ch, 0000007Bh
                                                                            xor ecx, 4CFD1381h
                                                                            bswap ecx
                                                                            add ecx, 4AAF53EAh
                                                                            ror ecx, 1
                                                                            xor ebx, ecx
                                                                            test esp, edi
                                                                            add edi, ecx
                                                                            jmp 00007FEE9861D88Dh
                                                                            bswap edx
                                                                            jmp 00007FEE98CD6795h
                                                                            inc edx
                                                                            stc
                                                                            xor ebx, edx
                                                                            add edi, edx
                                                                            push edi
                                                                            ret
                                                                            lea edi, dword ptr [edi-00000001h]
                                                                            movzx ecx, byte ptr [edi]
                                                                            jmp 00007FEE986349D2h
                                                                            dec esp
                                                                            mov ecx, dword ptr [esi]
                                                                            inc sp
                                                                            mov esp, dword ptr [esi+08h]
                                                                            dec eax
                                                                            add esi, 0000000Ah
                                                                            xor di, 14D0h
                                                                            dec eax
                                                                            rcl edi, cl
                                                                            dec eax
                                                                            bt edi, ebp
                                                                            inc bp
                                                                            mov dword ptr [ecx], esp
                                                                            dec eax
                                                                            add edi, edx
                                                                            dec ecx
                                                                            arpl di, di
                                                                            dec eax
                                                                            movsx edi, bx
                                                                            dec ecx
                                                                            sub eax, 00000004h
                                                                            inc ecx
                                                                            mov edi, dword ptr [eax]
                                                                            Programming Language:
                                                                            • [ C ] VS2010 SP1 build 40219
                                                                            • [ C ] VS2015 UPD3.1 build 24215
                                                                            • [IMP] VS2015 UPD3.1 build 24215
                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x329e4740x8d.vmp1
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3d32fb80x2a8.vmp1
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e8c0000x49f32.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x2951e000x21d8.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d970000xf4d94.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3d85f800x70.vmp1
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x3638efc0x140.vmp1
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3d859100x40.vmp1
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x36a50000xd4c.vmp1
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x1bb41060x1bb4200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .zero0x1bb60000x36420x3800False0.00258091517857data0.0
                                                                            .rdata0x1bba0000xdffbd00x0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0x29ba0000x4465200x0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                            .rodata0x2e010000xba00x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .vmpx0x2e020000xe780x1000False0.147216796875data1.67470523123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            rbxi0x2e030000x80x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            _RDATA0x2e040000x1ce00x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .vmp00x2e060000x3366b40x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .vmp10x313d0000xc59fa00xc5a000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .reloc0x3d970000xf4d940xf4e00False0.724587440978data6.81779634953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x3e8c0000x49f320x4a000False0.366682722762data5.43077456397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x3e8c4480x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                            RT_ICON0x3e9cc700x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                            RT_ICON0x3e9d0d80x78daPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                            RT_ICON0x3ea49b40x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                            RT_ICON0x3ea5a5c0x4120dataEnglishUnited States
                                                                            RT_ICON0x3ea9b7c0x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                            RT_ICON0x3eba3a40x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                            RT_ICON0x3eba80c0x6b8dataEnglishUnited States
                                                                            RT_ICON0x3ebaec40x988dataEnglishUnited States
                                                                            RT_ICON0x3ebb84c0x78daPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                            RT_ICON0x3ec31280x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                            RT_ICON0x3ec41d00x1a68dataEnglishUnited States
                                                                            RT_ICON0x3ec5c380x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                            RT_ICON0x3ec81e00x4120dataEnglishUnited States
                                                                            RT_ICON0x3ecc3000x148dataEnglishUnited States
                                                                            RT_ICON0x3ecc4480x931cdataEnglishUnited States
                                                                            RT_GROUP_ICON0x3ed57640xe6dataEnglishUnited States
                                                                            RT_VERSION0x3ed584c0x350dataEnglishUnited States
                                                                            RT_HTML0x3ed5b9c0xb2HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                            RT_MANIFEST0x3ed5c500x2e2ASCII text, with very long lines, with no line terminatorsEnglishUnited States
                                                                            DLLImport
                                                                            IMM32.dllImmGetContext, ImmSetOpenStatus, ImmAssociateContext, ImmGetDefaultIMEWnd, ImmSetCompositionWindow, ImmGetCompositionStringA, ImmGetOpenStatus, ImmGetConversionStatus, ImmReleaseContext, ImmGetCompositionStringW
                                                                            SensApi.dllIsNetworkAlive
                                                                            urlmon.dllUrlMkSetSessionOption, ObtainUserAgentString
                                                                            MSACM32.dllacmStreamSize, acmStreamConvert, acmStreamUnprepareHeader, acmStreamPrepareHeader, acmFormatSuggest, acmStreamOpen
                                                                            WINHTTP.dllWinHttpSetCredentials, WinHttpSetTimeouts, WinHttpWriteData, WinHttpSetStatusCallback, WinHttpGetProxyForUrl, WinHttpQueryAuthSchemes, WinHttpCloseHandle, WinHttpSetOption, WinHttpConnect, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpOpen, WinHttpAddRequestHeaders, WinHttpOpenRequest, WinHttpReadData, WinHttpQueryHeaders, WinHttpQueryDataAvailable
                                                                            WS2_32.dllshutdown, listen, WSASetLastError, WSAStartup, getsockname, send, select, ntohs, recv, htons, WSACleanup, setsockopt, socket, WSAGetLastError, sendto, freeaddrinfo, connect, getaddrinfo, inet_addr, bind, ntohl, htonl, inet_pton, WSAIoctl, ioctlsocket, __WSAFDIsSet, recvfrom, gethostname, getsockopt, WSARecv, WSAAddressToStringW, getpeername, WSASocketW, WSAStringToAddressW, WSASend, WSAEnumNetworkEvents, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSASetEvent, closesocket, WSACreateEvent, getnameinfo, WSACloseEvent, accept
                                                                            CRYPT32.dllCertCreateCertificateContext, CryptProtectData, CertOpenStore, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CryptUnprotectData, CertGetNameStringW, CertGetCertificateContextProperty, CryptStringToBinaryA, CryptDecodeObjectEx, CryptMsgClose, CertCloseStore, CertFindCertificateInStore, CryptMsgGetParam, CryptQueryObject, CertGetNameStringA, CertGetCertificateChain, CertFreeCertificateChain, CertFreeCertificateContext, CryptDecodeObject
                                                                            msdmo.dllMoInitMediaType, MoFreeMediaType
                                                                            WINMM.dllwaveInClose, waveInPrepareHeader, waveOutGetNumDevs, timeEndPeriod, waveInGetNumDevs, waveOutGetDevCapsW, waveInReset, waveInUnprepareHeader, waveOutUnprepareHeader, waveOutClose, waveInGetDevCapsW, waveOutReset, waveInOpen, waveOutOpen, waveOutPrepareHeader, waveInStart, waveInAddBuffer, waveOutGetPosition, timeSetEvent, timeGetDevCaps, timeBeginPeriod, timeGetTime, timeKillEvent, waveOutWrite
                                                                            Secur32.dllDeleteSecurityContext, InitializeSecurityContextA, FreeCredentialsHandle, AcquireCredentialsHandleA, CompleteAuthToken
                                                                            KERNEL32.dllInterlockedFlushSList, GetVersionExW, LoadLibraryExW, ReadDirectoryChangesW, CancelIo, FindFirstFileExW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetConsoleOutputCP, GetTimeZoneInformation, SetEnvironmentVariableW, ExitThread, SetStdHandle, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetDriveTypeW, SetConsoleCtrlHandler, GetCommandLineW, GetCommandLineA, FreeLibraryAndExitThread, GetThreadTimes, UnregisterWait, RegisterWaitForSingleObject, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, GetTickCount, GetSystemTimeAsFileTime, WaitForSingleObjectEx, WideCharToMultiByte, MultiByteToWideChar, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, HeapDestroy, CloseHandle, GetLastError, GetProcAddress, GetModuleFileNameW, GetModuleFileNameA, WaitForSingleObject, FormatMessageA, MulDiv, GetSystemPowerStatus, CreateEventA, UnmapViewOfFile, GetTempPathW, GetSystemTime, SystemTimeToFileTime, FindFirstFileW, DeleteFileW, FindNextFileW, SetEvent, CreateFileMappingA, MapViewOfFile, GetUserGeoID, GetGeoInfoA, GetModuleHandleA, GetProfileStringA, SetCurrentDirectoryW, OutputDebugStringA, VirtualProtect, CreateMutexA, ResetEvent, WaitForMultipleObjects, ReleaseMutex, OpenEventA, LoadResource, LockResource, GlobalAlloc, GlobalLock, GlobalUnlock, EnterCriticalSection, LeaveCriticalSection, RaiseException, SetLastError, GlobalHandle, GlobalFree, FindResourceA, DeleteCriticalSection, InitializeCriticalSectionEx, lstrcmpA, GetCurrentThreadId, Sleep, LocalAlloc, LocalFree, FileTimeToSystemTime, lstrcpynW, GetTickCount64, OutputDebugStringW, FreeLibrary, lstrcmpiA, IsDBCSLeadByte, SizeofResource, LoadLibraryExA, IsDebuggerPresent, ExitProcess, FindResourceExA, FindResourceW, VirtualQuery, K32GetModuleInformation, GetCurrentProcess, GetModuleHandleExA, DecodePointer, QueryPerformanceCounter, QueryPerformanceFrequency, InitializeCriticalSection, VirtualAlloc, VirtualFree, CreateFileA, GetCurrentProcessId, WriteFile, OpenThread, SuspendThread, GetThreadContext, ResumeThread, TerminateProcess, LoadLibraryA, WriteProcessMemory, SetUnhandledExceptionFilter, SetErrorMode, CreateProcessA, GetWindowsDirectoryW, K32EnumProcessModules, K32GetModuleFileNameExW, GetThreadPriority, SetThreadPriority, ReleaseSemaphore, DuplicateHandle, CreateSemaphoreA, QueryDepthSList, CreateThread, lstrlenW, GetACP, GetCurrentThread, GetVersionExA, GetLocalTime, CreateFileW, DeleteFileA, FindResourceExW, FindFirstFileA, FindNextFileA, CompareFileTime, GetShortPathNameW, VerSetConditionMask, VerifyVersionInfoW, IsWow64Process, CreateToolhelp32Snapshot, Module32FirstW, Module32NextW, GetTempPathA, FindFirstChangeNotificationA, SetThreadContext, WaitForMultipleObjectsEx, GetLocaleInfoW, GetModuleHandleW, LCMapStringW, WriteProfileStringW, K32GetProcessMemoryInfo, GlobalMemoryStatusEx, GetProcessTimes, LoadLibraryW, SwitchToThread, GetFileSizeEx, CreateFileMappingW, Process32First, Process32Next, SetWaitableTimer, TlsSetValue, GetLogicalProcessorInformation, TlsAlloc, CreateWaitableTimerA, TlsGetValue, TlsFree, CreateDirectoryW, GetFullPathNameW, DeviceIoControl, RemoveDirectoryW, SetFileTime, SetEndOfFile, FindClose, GetFileAttributesW, GetFileInformationByHandle, GetFileAttributesExW, GetDiskFreeSpaceExW, GetCurrentDirectoryW, SetFilePointerEx, MoveFileExW, CopyFileW, GetFileTime, SetFilePointer, AreFileApisANSI, SetThreadAffinityMask, ReadFile, TryEnterCriticalSection, FlushFileBuffers, GetSystemDirectoryA, Thread32First, Thread32Next, CompareStringW, GetThreadLocale, ExpandEnvironmentStringsW, SearchPathW, OpenEventW, GetEnvironmentVariableA, HeapCreate, FreeConsole, GetProcessAffinityMask, GetStdHandle, InitializeCriticalSectionAndSpinCount, FormatMessageW, AttachConsole, WriteConsoleW, CreateSemaphoreW, GetTimeFormatEx, GetDateFormatEx, CreateWaitableTimerW, GetQueuedCompletionStatus, CreateMutexW, PostQueuedCompletionStatus, CreateEventW, TerminateThread, QueueUserAPC, SleepEx, CreateIoCompletionPort, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, WakeAllConditionVariable, GetNativeSystemInfo, VerifyVersionInfoA, FlushInstructionCache, DebugBreak, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockShared, GetModuleHandleExW, GetEnvironmentVariableW, ChangeTimerQueueTimer, SetConsoleMode, ReadConsoleA, ReadConsoleW, SwitchToFiber, DeleteFiber, CreateFiber, GetFileType, ConvertFiberToThread, ConvertThreadToFiber, CreateTimerQueueTimer, SignalObjectAndWait, CreateTimerQueue, GetStartupInfoW, RtlUnwind, UnhandledExceptionFilter, GetCPInfo, QueueUserWorkItem, GetStringTypeW, GetExitCodeThread, IsProcessorFeaturePresent, GetSystemInfo, GetConsoleMode, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, UnregisterWaitEx
                                                                            USER32.dllGetWindowThreadProcessId, SetRectEmpty, DispatchMessageA, FindWindowA, GetWindowInfo, EnumWindows, EmptyClipboard, SetClipboardData, MapVirtualKeyW, SendMessageW, PostMessageW, GetClassInfoExW, LoadCursorW, EnumDisplayDevicesA, GetAsyncKeyState, UnregisterDeviceNotification, RegisterDeviceNotificationW, UnregisterClassW, KillTimer, MsgWaitForMultipleObjectsEx, SetTimer, GetProcessWindowStation, GetUserObjectInformationW, SetForegroundWindow, SetWindowPlacement, ChangeDisplaySettingsExA, EnumDisplaySettingsExA, GetWindowPlacement, EndDialog, MapDialogRect, SetWindowContextHelpId, LoadIconA, MapWindowPoints, LoadImageA, MessageBoxExA, DispatchMessageW, TranslateMessage, UpdateWindow, ShowWindow, RegisterTouchWindow, CreateWindowExW, LoadStringW, GetMessageW, PeekMessageW, RegisterClassExW, LoadIconW, PostQuitMessage, GetDoubleClickTime, MapVirtualKeyA, MapVirtualKeyExA, GetRawInputData, TrackMouseEvent, GetCursorPos, SetCursor, GetForegroundWindow, CloseTouchInputHandle, GetTouchInputInfo, WindowFromPoint, SetRect, ClipCursor, GetWindowRect, CloseClipboard, GetClipboardData, OpenClipboard, ActivateKeyboardLayout, UnloadKeyboardLayout, RegisterRawInputDevices, LoadKeyboardLayoutA, GetMonitorInfoA, GetKeyboardLayoutList, GetKeyboardLayoutNameW, EnableWindow, RegisterWindowMessageA, GetWindowTextLengthA, GetWindowTextA, SetWindowTextA, BeginPaint, EndPaint, IsChild, GetFocus, SetFocus, GetDlgItem, SendMessageA, GetClassNameA, GetSysColor, RedrawWindow, GetClassInfoExA, CreateWindowExA, CreateAcceleratorTableA, ClientToScreen, GetParent, ScreenToClient, MoveWindow, SetCapture, ReleaseCapture, FillRect, GetClientRect, InvalidateRgn, CallWindowProcA, InvalidateRect, GetDC, ReleaseDC, GetDesktopWindow, DestroyAcceleratorTable, GetWindowLongA, SetWindowLongA, DefWindowProcA, LoadCursorA, RegisterClassExA, CreateDialogIndirectParamA, UnregisterClassA, DestroyWindow, SetWindowPos, IsDialogMessageA, IsWindow, ShowWindowAsync, GetWindow, DefWindowProcW, MessageBoxW, GetSystemMetrics, SetWindowTextW, PostMessageA, MessageBoxA, MonitorFromWindow, EnumDisplayMonitors, CharNextA, PostThreadMessageA, PtInRect, PeekMessageA, GetKeyboardLayout
                                                                            GDI32.dllCreateSolidBrush, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, DeleteObject, BitBlt, DeleteDC, GetStockObject, GetObjectA, GetDeviceCaps, GetDIBits, ChoosePixelFormat, SetPixelFormat, SwapBuffers
                                                                            SHELL32.dllSHQueryUserNotificationState, ShellExecuteW, SHGetFolderPathW, SHGetSpecialFolderPathW, SHGetFolderPathAndSubDirW, ShellExecuteA
                                                                            ole32.dllCoTaskMemAlloc, StringFromGUID2, OleLockRunning, CoGetClassObject, CLSIDFromProgID, CLSIDFromString, OleInitialize, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoInitializeEx, CoCreateGuid, PropVariantClear, CreateStreamOnHGlobal, CoInitializeSecurity, CoSetProxyBlanket, CoTaskMemFree, CoTaskMemRealloc, CoFreeUnusedLibraries
                                                                            OLEAUT32.dllSysAllocStringLen, SysStringLen, SysFreeString, SysAllocString, OleCreateFontIndirect, LoadRegTypeLib, LoadTypeLib, VariantClear, VariantInit, SysAllocStringByteLen, SysStringByteLen, VarUI4FromStr
                                                                            ADVAPI32.dllRegEnumKeyExA, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegGetValueW, RegDeleteKeyA, RegQueryInfoKeyW, EqualSid, RegSetValueExA, RegCreateKeyExA, FreeSid, RegOpenKeyExW, RegDeleteValueA, OpenProcessToken, GetTokenInformation, RegQueryValueExW, CryptGenRandom, CryptEnumProvidersW, CryptSignHashW, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, ReportEventW, RegisterEventSourceW, DeregisterEventSource, SystemFunction036, CryptDestroyKey, CryptVerifySignatureA, CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptImportKey, CryptGetHashParam, CryptReleaseContext, RegQueryInfoKeyA, AllocateAndInitializeSid
                                                                            SHLWAPI.dllPathAppendA, PathFindFileNameW, PathFindFileNameA, PathAddBackslashA
                                                                            dbghelp.dllMiniDumpWriteDump
                                                                            VERSION.dllVerQueryValueA, GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                                            HID.DLLHidD_GetHidGuid
                                                                            SETUPAPI.dllSetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiGetClassDevsA
                                                                            WINTRUST.dllWinVerifyTrust
                                                                            WININET.dllInternetGetCookieExA, InternetSetCookieExA
                                                                            IPHLPAPI.DLLGetAdaptersAddresses
                                                                            POWRPROF.dllCallNtPowerInformation
                                                                            OPENGL32.dllglDepthMask, glDepthFunc, glBlendFunc, glColorMask, glPolygonOffset, glCullFace, glDisable, wglGetCurrentContext, glStencilFunc, glStencilOp, glPolygonMode, glClearColor, glClearDepth, glClearStencil, glClear, glDrawElements, glDrawArrays, glGenTextures, glTexImage2D, glTexParameteri, glPixelStorei, glTexSubImage2D, glDeleteTextures, glGetTexImage, glReadPixels, glTexParameterfv, glTexParameterf, glCopyTexSubImage2D, glReadBuffer, glBindTexture, glScissor, wglDeleteContext, wglMakeCurrent, wglCreateContext, wglGetCurrentDC, glGetError, glGetString, wglGetProcAddress, glStencilMask, glEnable, glViewport, glGetIntegerv
                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Create
                                                                            WTSAPI32.dllWTSSendMessageW
                                                                            KERNEL32.dllVirtualQuery, GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, LoadLibraryA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetCommandLineA, RaiseException, RtlUnwind, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle
                                                                            USER32.dllGetProcessWindowStation, GetUserObjectInformationW, CharUpperBuffW, MessageBoxW
                                                                            KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                                                                            USER32.dllGetProcessWindowStation, GetUserObjectInformationW
                                                                            NameOrdinalAddress
                                                                            AmdPowerXpressRequestHighPerformance10x2dc6684
                                                                            NvOptimusEnablement20x2dc658c
                                                                            DescriptionData
                                                                            LegalCopyrightCopyright 2020 Roblox Corporation. All rights reserved.
                                                                            InternalNameRobloxApp.exe
                                                                            FileVersion0, 490, 0, 4900359
                                                                            CompanyNameRoblox Corporation
                                                                            ProductNameRoblox
                                                                            ProductVersion0, 490, 0, 4900359
                                                                            FileDescriptionRoblox Game Client
                                                                            OriginalFilenameRobloxApp.exe
                                                                            Translation0x0409 0x04b0
                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Download Network PCAP: filteredfull

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Aug 13, 2021 03:38:16.948261976 CEST6015253192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:16.976721048 CEST53601528.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:17.766441107 CEST5754453192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:17.795283079 CEST53575448.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:18.951518059 CEST5598453192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:18.988492012 CEST53559848.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:19.540689945 CEST6418553192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:19.570673943 CEST53641858.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:20.195031881 CEST6511053192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:20.228369951 CEST53651108.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:20.962414980 CEST5836153192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:21.000380039 CEST53583618.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:22.304604053 CEST6349253192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:22.330359936 CEST53634928.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:23.002171040 CEST6083153192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:23.035599947 CEST53608318.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:23.956660986 CEST6010053192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:23.990262985 CEST53601008.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:28.521548033 CEST5319553192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:28.555160999 CEST53531958.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:32.535053015 CEST5014153192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:32.567327023 CEST53501418.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:33.412964106 CEST5302353192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:33.448533058 CEST53530238.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:34.244590044 CEST4956353192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:34.277512074 CEST53495638.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:35.195682049 CEST5135253192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:35.223104954 CEST53513528.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:36.038499117 CEST5934953192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:36.068218946 CEST53593498.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:36.867141008 CEST5708453192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:36.895184040 CEST53570848.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:37.671770096 CEST5882353192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:37.709443092 CEST53588238.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:38.571886063 CEST5756853192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:38.605670929 CEST53575688.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:40.639056921 CEST5054053192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:40.671864986 CEST53505408.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:43.542229891 CEST5436653192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:43.585479975 CEST53543668.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:50.156037092 CEST5303453192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:50.194518089 CEST53530348.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:52.122297049 CEST5776253192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:52.171874046 CEST53577628.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:38:56.013650894 CEST5543553192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:38:56.063819885 CEST53554358.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:39:08.488281965 CEST5071353192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:39:08.534035921 CEST53507138.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:39:11.575344086 CEST5613253192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:39:11.619784117 CEST53561328.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:39:26.277395964 CEST5898753192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:39:26.323875904 CEST53589878.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:39:28.960136890 CEST5657953192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:39:28.996423006 CEST53565798.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:40:00.843928099 CEST6063353192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:40:00.876744032 CEST53606338.8.8.8192.168.2.3
                                                                            Aug 13, 2021 03:40:02.573661089 CEST6129253192.168.2.38.8.8.8
                                                                            Aug 13, 2021 03:40:02.606228113 CEST53612928.8.8.8192.168.2.3

                                                                            Code Manipulations

                                                                            Statistics

                                                                            CPU Usage

                                                                            050100s020406080100

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            050100s0.0020406080MB

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            • File
                                                                            • Registry

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Start time:03:38:32
                                                                            Start date:13/08/2021
                                                                            Path:C:\Users\user\Desktop\RobloxPlayerBeta.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\RobloxPlayerBeta.exe'
                                                                            Imagebase:0xf40000
                                                                            File size:43335640 bytes
                                                                            MD5 hash:710D9B62FB4A44ADA297C90890D655EB
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Start time:03:38:47
                                                                            Start date:13/08/2021
                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 800
                                                                            Imagebase:0xb20000
                                                                            File size:434592 bytes
                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis