hxxps://github[.]com/NeobloxExecutor/neoblox/releases/tag/v6[.]1

Analysis

max time kernel
1791s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NeobloxExecutor/neoblox/releases/tag/v6.1

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RobloxPlayerBeta.exe

description pid process target process

PID 1768 created 2640 1768 RobloxPlayerBeta.exe Explorer.EXE
Downloads MZ/PE file

description	pid	process	target process
PID 1768 created 2640	1768	RobloxPlayerBeta.exe	Explorer.EXE

Drops file in Drivers directory 2 IoCs

Processes:

lightweightNeoblox.exeNeoblox.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	lightweightNeoblox.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Neoblox.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	RobloxPlayerBeta.exe

Executes dropped EXE 12 IoCs

Processes:

neobloxBootstrapper.exeneobloxBootstrapper.exelightweightNeoblox.exeneobloxBootstrapper.exeNeoblox.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exeChromeRecovery.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid	process
4436	neobloxBootstrapper.exe
4172	neobloxBootstrapper.exe
3068	lightweightNeoblox.exe
4364	neobloxBootstrapper.exe
864	Neoblox.exe
4540	RobloxPlayerLauncher.exe
3840	RobloxPlayerLauncher.exe
1472	ChromeRecovery.exe
3616	RobloxPlayerLauncher.exe
2388	RobloxPlayerLauncher.exe
1768	RobloxPlayerBeta.exe
3428	RobloxPlayerBeta.exe

Loads dropped DLL 21 IoCs

Processes:

lightweightNeoblox.exeNeoblox.exe

pid	process
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
3068	lightweightNeoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe
864	Neoblox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RobloxPlayerBeta.exe

description pid process target process

PID 1768 set thread context of 3428 1768 RobloxPlayerBeta.exe RobloxPlayerBeta.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

description	pid	process	target process
PID 1768 set thread context of 3428	1768	RobloxPlayerBeta.exe	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

Processes:

RobloxPlayerLauncher.exe

description	ioc	process
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\2D-Collision-Matchers\2D-Collision-Matchers\below.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\NetworkingGames-8201de9c-db69cf81\NetworkingGames\networkRequests\createGetExperiencesProductInfo.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Flags\getFFlagUpdateUploadContacts.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\my-mm.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\TerrainTools\mt_grow.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\ui\PurchasePrompt\SingleButtonDown.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\RoduxShareLinks\enumerate.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\String\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppCommonLib\AppCommonLib\isRunningInStudio.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\DiscoverabilityModal\DiscoverabilityModal\Components\DiscoverabilityOverlay\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Requests\ChatSendMessage.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\StudioSharedUI\pending.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\textures\ui\LuaChatV2\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Symbol\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ReactDebugTools-9c8468d8-8a7220fd\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactMutableSource.new.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-24c5c11f-f6df649b\RoduxFriends\Reducers\Friends\recommendations\byUserId.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\QRCodeDisplay\QRCodeDisplay\jest.config.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UserSearch\UIBlox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-instudio-10x10.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\textures\ui\LuaApp\category\ic-popular.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\DeveloperFramework\Votes\rating_up_yellow.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\ui\Controls\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\PlatformContent\pc\textures\wood\normal.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\utilities\common\makeUniqueId.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Control\Slot\SlotTray.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Common\TextKeys.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VerifiedBadges\RoduxNetworking.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\LuaSocialLibrariesDeps\RoduxNetworking.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ReactIs-a406e214-4230f473\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\RequestPipeline\RequestPipeline\RequestPipeline.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SetAlias\ContactsProtocol.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\TerrainTools\icon_regions_rotate.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\Expect-edcba0e9-3.2.1\Expect\jestMatchersObject_extracted.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RhodiumHelpers\UnitTestHelpers.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TenFootUiGlobalNav\TenFootUiGlobalNav\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\PlatformContent\pc\textures\woodplanks\normaldetail.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\roblox_rodux-presence\rodux-presence\Actions\UpdateUserPresence.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\React.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\BubbleChat\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\mountClientApp\helpers\setUpConfigurationObjects.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\JestCore\JestSnapshot.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UserLib\UserLib\Enum\WebPresenceMap.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\CollisionGroupsEditor\ToolbarIcon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\LayeredClothingEditor\Add Icon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\RoduxShareLinks\RoduxShareLinks\Actions\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\testHook.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\Array\filter.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\SocialLuaAnalytics.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\SocialTabNavigationEventReceiver.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\AnimationEditor\icon_keyIndicator_selected.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\GameSettings\DottedBorder.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\StudioToolbox\ArrowExpanded.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\JestCircus\JestCircus\circus\legacy-code-todo-rewrite\temporarySnapshotData.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\ReactTestingLibrary\ReactTestingLibrary\__tests__\render.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\AvatarEditorImages\Stretch\gr-tail.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\content\textures\particles\explosion01_shockwave_main.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\__tests__\init.roblox.spec.lua	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

RobloxPlayerLauncher.exeNeoblox.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FF2BC0FE-6533-4D4F-992B-F89FD835EF41}\AppName = "RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	Neoblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Neoblox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ADF10625-73EC-4FE8-AD08-741B0A7D37B2}	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ADF10625-73EC-4FE8-AD08-741B0A7D37B2}\AppName = "RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ADF10625-73EC-4FE8-AD08-741B0A7D37B2}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ADF10625-73EC-4FE8-AD08-741B0A7D37B2}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Neoblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RobloxPlayerBeta.exe = "11000"	RobloxPlayerBeta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Neoblox.exe = "11001"	Neoblox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxPlayerBeta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Neoblox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FF2BC0FE-6533-4D4F-992B-F89FD835EF41}	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FF2BC0FE-6533-4D4F-992B-F89FD835EF41}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FF2BC0FE-6533-4D4F-992B-F89FD835EF41}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe

Modifies data under HKEY_USERS 25 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "11"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "14"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "6"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "8"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "9"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "13"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "15"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "12"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "5"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "10"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "16"	svchost.exe

Modifies registry class 64 IoCs

Processes:

neobloxBootstrapper.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exelightweightNeoblox.exesvchost.exechrome.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	neobloxBootstrapper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	lightweightNeoblox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	lightweightNeoblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	lightweightNeoblox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	lightweightNeoblox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	lightweightNeoblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{FF60F7C8-D826-4DA3-B645-944BE7F2249F}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	lightweightNeoblox.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	lightweightNeoblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-c5837a56b9bf486f\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	lightweightNeoblox.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	lightweightNeoblox.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	lightweightNeoblox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	lightweightNeoblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{EEB76FA9-E4A6-4B53-B5D2-133C46C28613}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	lightweightNeoblox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	lightweightNeoblox.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	lightweightNeoblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	lightweightNeoblox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	lightweightNeoblox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	lightweightNeoblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	lightweightNeoblox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	lightweightNeoblox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	lightweightNeoblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	lightweightNeoblox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	lightweightNeoblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeRobloxPlayerLauncher.exe

pid	process
4684	chrome.exe
4684	chrome.exe
2276	chrome.exe
2276	chrome.exe
4672	chrome.exe
4672	chrome.exe
3432	chrome.exe
3432	chrome.exe
4092	chrome.exe
4092	chrome.exe
4172	chrome.exe
4172	chrome.exe
4780	chrome.exe
4780	chrome.exe
2868	chrome.exe
2868	chrome.exe
4380	chrome.exe
4380	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
1500	chrome.exe
1500	chrome.exe
2220	chrome.exe
2220	chrome.exe
3652	chrome.exe
3652	chrome.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe
4540	RobloxPlayerLauncher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RobloxPlayerBeta.exe

pid process

1768 RobloxPlayerBeta.exe

pid	process
1768	RobloxPlayerBeta.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zG.exeneobloxBootstrapper.exelightweightNeoblox.exeneobloxBootstrapper.exeNeoblox.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	5072	7zG.exe
Token: 35	5072	7zG.exe
Token: SeSecurityPrivilege	5072	7zG.exe
Token: SeSecurityPrivilege	5072	7zG.exe
Token: SeDebugPrivilege	4172	neobloxBootstrapper.exe
Token: SeDebugPrivilege	3068	lightweightNeoblox.exe
Token: SeDebugPrivilege	4364	neobloxBootstrapper.exe
Token: SeDebugPrivilege	864	Neoblox.exe
Token: 33	1776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1776	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe

pid	process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
5072	7zG.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

lightweightNeoblox.exeNeoblox.exeRobloxPlayerBeta.exeOpenWith.exe

pid process

3068 lightweightNeoblox.exe
864 Neoblox.exe
864 Neoblox.exe
1768 RobloxPlayerBeta.exe
1768 RobloxPlayerBeta.exe
5052 OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2276 wrote to memory of 4860	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 4860	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 440	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 4684	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 4684	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe
PID 2276 wrote to memory of 3588	2276	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/NeobloxExecutor/neoblox/releases/tag/v6.1
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8545c4f50,0x7ff8545c4f60,0x7ff8545c4f70
3⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
3⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
3⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
3⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
3⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:8
3⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
3⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
3⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
3⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:8
3⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2756 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
3⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
3⤵
PID:532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
3⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1172 /prefetch:8
3⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4272 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
3⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
3⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
3⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
3⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
3⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
3⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
3⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:8
3⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
3⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:8
3⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:8
3⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
3⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
3⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:8
3⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6576 /prefetch:8
3⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6588 /prefetch:8
3⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:8
3⤵
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6412 /prefetch:8
3⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
3⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6912 /prefetch:8
3⤵
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
3⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6576 /prefetch:8
3⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
3⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6792 /prefetch:8
3⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3144 /prefetch:8
3⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
3⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3200 /prefetch:8
3⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
3⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 /prefetch:8
3⤵
PID:336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:8
3⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
3⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
3⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
3⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3140 /prefetch:8
3⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5680 /prefetch:8
3⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3156 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 /prefetch:8
3⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6640 /prefetch:8
3⤵
PID:4528

C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
"C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=d0b4c56632452fa149160ea75abb3fd8ebbae2c4 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7b8,0x7bc,0x7c0,0x6dc,0x4a8,0x13532a8,0x13532b8,0x13532c8
4⤵
- Executes dropped EXE
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:8
3⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
3⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3064 /prefetch:8
3⤵
PID:2832

C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerLauncher.exe" roblox-player:1+launchmode:play+gameinfo:IpVMiyLbL0Rc2gVbx_HSuUpLaUZtqW0PaOZ9q4hHjNSr2uGIZ-KIvLdWOEIRuiXEbXKzAFEcug1XlcDkYUwSz9hZqIxdSmJHfBpKS7Xw3-1Gr9jOUhJ4XZSr8Yq4DDhH5eXti7vujWqTNMIfS5uP-3A1vct2kpahAEMA4oze3mMAbQFblijOqE7WS2fBaH6FC9jhIcwYlIHpczH-KXzBzbtt73CKEzzQo4wDXSTNJWk+launchtime:1675711784035+placelauncherurl:https%3A%2F%2Fassetgame.roblox.com%2Fgame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D161539040810%26placeId%3D4483381587%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D1572c882-cf60-4bf9-b5d8-53f203b48800%26joinAttemptOrigin%3DPlayButton+browsertrackerid:161539040810+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
PID:3616

C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=d0b4c56632452fa149160ea75abb3fd8ebbae2c4 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x728,0x72c,0x730,0x690,0x738,0xf932a8,0xf932b8,0xf932c8
4⤵
- Executes dropped EXE
PID:2388

C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerBeta.exe" --app -t IpVMiyLbL0Rc2gVbx_HSuUpLaUZtqW0PaOZ9q4hHjNSr2uGIZ-KIvLdWOEIRuiXEbXKzAFEcug1XlcDkYUwSz9hZqIxdSmJHfBpKS7Xw3-1Gr9jOUhJ4XZSr8Yq4DDhH5eXti7vujWqTNMIfS5uP-3A1vct2kpahAEMA4oze3mMAbQFblijOqE7WS2fBaH6FC9jhIcwYlIHpczH-KXzBzbtt73CKEzzQo4wDXSTNJWk -j https://assetgame.roblox.com/game/PlaceLauncher.ashx?request=RequestGame&browserTrackerId=161539040810&placeId=4483381587&isPlayTogetherGame=false&joinAttemptId=1572c882-cf60-4bf9-b5d8-53f203b48800&joinAttemptOrigin=PlayButton -b 161539040810 --launchtime=1675711784035 --rloc en_us --gloc en_us
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4813842254675815705,16417265246605429789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6920 /prefetch:8
3⤵
PID:2900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Neoblox_Bootstrapper\" -spe -an -ai#7zMap13124:102:7zEvent32659
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5072

C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
"C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe"
2⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
"C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\lightweightNeoblox.exe
"C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\lightweightNeoblox.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
"C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\Neoblox.exe
"C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\Neoblox.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerBeta.exe
\??\C:\Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerBeta.exe
2⤵
- Executes dropped EXE
PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4760

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
PID:3100

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3100_1137783428\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3100_1137783428\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d34fafcc-a0f0-4e40-b555-c535f7a03759} --system
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1628

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\neobloxBootstrapper.exe.log
Filesize
333B

MD5
6d7882d79240defe05907595a78ee051

SHA1
1423d8fa43cdcdbb89d3d4195b4113cf58b1e54b

SHA256
d804b04e5262cabfb4e8b32964def3ed93106315f245064be9956b24f0cc9b82

SHA512
f8836c544fd0cacd8d81d1669a88a751accf4ca7576530ea3b79f4a73b8a15b6a917a45a0ca77a974209342795521c737bfa72357a1fec0aa6699b61e9ac6e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll
Filesize
943KB

MD5
2ff7acfa80647ee46cc3c0e446327108

SHA1
c994820d03af722c244b046d1ee0967f1b5bc478

SHA256
08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

SHA512
50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper.zip
Filesize
115.7MB

MD5
96197a1a6feedcd95598409951ea1059

SHA1
0904fc39491f8cc8049c95a67e13d31e19b787e5

SHA256
4ef5ad0d0f391bc4063fec155095dcc72d1822f1286a450eaa017f4d7fb777b4

SHA512
de6d57d030627746375343735dc6400ea3bc489dcb7fa8d4cbaf2820d0688f8df4cf382710d4e423d675f8ad58912ac22dc30e5f4ff5727de431e2e17d1e02d5

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\KrnlAPI.dll
Filesize
1.2MB

MD5
457242aba102f82daedb7ec907b1ac5c

SHA1
bb20ca697349a16fc80c928aea8d155c1cb4fa40

SHA256
3667300295731be993d6a2d6a21e23e8be9fb177a8b3325f55db28fd265fc19a

SHA512
23f8bd7cad2e8530dae8f14e620343658cf07ecfae71d223666166228e2d223abc5e981c26eb78ed4c4737c74284737a854c8e7e7cf06441244cbcfc9c6acd1b

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\Neoblox.exe
Filesize
976KB

MD5
60bdad498581b4998ad0397465d30891

SHA1
a57494c1f958dce86707187d8dfe17ae5c6028b7

SHA256
27ea6419a7bedd7b748b67f7b436d7beff65dcc149ac942b9d840f096fae7355

SHA512
c48bdb6b0cd6c66512f7204ef44b54f6a2a3d57b2586f95cab88288a6da620b060bff8ede38dd9352422ad6b926a2f0ceca76da1bc3df2de3c0867797e665396

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\Neoblox.exe
Filesize
976KB

MD5
60bdad498581b4998ad0397465d30891

SHA1
a57494c1f958dce86707187d8dfe17ae5c6028b7

SHA256
27ea6419a7bedd7b748b67f7b436d7beff65dcc149ac942b9d840f096fae7355

SHA512
c48bdb6b0cd6c66512f7204ef44b54f6a2a3d57b2586f95cab88288a6da620b060bff8ede38dd9352422ad6b926a2f0ceca76da1bc3df2de3c0867797e665396

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\Neoblox.exe.config
Filesize
530B

MD5
c7a4606f8f222fc96e1e6b08c093794b

SHA1
2700b3727ab01d93e75e1e12f308dcaeb1d37dba

SHA256
32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b

SHA512
7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\WeAreDevs_API.dll
Filesize
605KB

MD5
f263efb1b579cc33a0f1024c2a18d03b

SHA1
e9dc916b6d4606ba47e30787387dcfd490bafc56

SHA256
f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963

SHA512
09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\WeAreDevs_API.dll
Filesize
605KB

MD5
f263efb1b579cc33a0f1024c2a18d03b

SHA1
e9dc916b6d4606ba47e30787387dcfd490bafc56

SHA256
f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963

SHA512
09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\Neoblox\WeAreDevs_API.dll
Filesize
605KB

MD5
f263efb1b579cc33a0f1024c2a18d03b

SHA1
e9dc916b6d4606ba47e30787387dcfd490bafc56

SHA256
f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963

SHA512
09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\EasyExploits.dll
Filesize
10KB

MD5
1c5ffe214040f00ec898bd3c5110e8b2

SHA1
4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb

SHA256
23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec

SHA512
682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\EasyExploits.dll
Filesize
10KB

MD5
1c5ffe214040f00ec898bd3c5110e8b2

SHA1
4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb

SHA256
23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec

SHA512
682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\EasyExploits.dll
Filesize
10KB

MD5
1c5ffe214040f00ec898bd3c5110e8b2

SHA1
4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb

SHA256
23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec

SHA512
682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\KrnlAPI.dll
Filesize
1.2MB

MD5
457242aba102f82daedb7ec907b1ac5c

SHA1
bb20ca697349a16fc80c928aea8d155c1cb4fa40

SHA256
3667300295731be993d6a2d6a21e23e8be9fb177a8b3325f55db28fd265fc19a

SHA512
23f8bd7cad2e8530dae8f14e620343658cf07ecfae71d223666166228e2d223abc5e981c26eb78ed4c4737c74284737a854c8e7e7cf06441244cbcfc9c6acd1b

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\KrnlAPI.dll
Filesize
1.2MB

MD5
457242aba102f82daedb7ec907b1ac5c

SHA1
bb20ca697349a16fc80c928aea8d155c1cb4fa40

SHA256
3667300295731be993d6a2d6a21e23e8be9fb177a8b3325f55db28fd265fc19a

SHA512
23f8bd7cad2e8530dae8f14e620343658cf07ecfae71d223666166228e2d223abc5e981c26eb78ed4c4737c74284737a854c8e7e7cf06441244cbcfc9c6acd1b

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\KrnlAPI.dll
Filesize
1.2MB

MD5
457242aba102f82daedb7ec907b1ac5c

SHA1
bb20ca697349a16fc80c928aea8d155c1cb4fa40

SHA256
3667300295731be993d6a2d6a21e23e8be9fb177a8b3325f55db28fd265fc19a

SHA512
23f8bd7cad2e8530dae8f14e620343658cf07ecfae71d223666166228e2d223abc5e981c26eb78ed4c4737c74284737a854c8e7e7cf06441244cbcfc9c6acd1b

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\ScintillaNET.dll
Filesize
1.3MB

MD5
9166536c31f4e725e6befe85e2889a4b

SHA1
f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

SHA256
ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

SHA512
113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\ScintillaNET.dll
Filesize
1.3MB

MD5
9166536c31f4e725e6befe85e2889a4b

SHA1
f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

SHA256
ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

SHA512
113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\ScintillaNET.dll
Filesize
1.3MB

MD5
9166536c31f4e725e6befe85e2889a4b

SHA1
f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

SHA256
ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

SHA512
113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\Siticone.UI.dll
Filesize
771KB

MD5
fa842ffa299c794e57597aae857d9cb3

SHA1
154afdfd9bd80c1b512f516a8c187c6dd849161e

SHA256
b1d4cdc7891d51636c5e82a91b9bf20e6bb6e68ddf515ac6f51fbda7b199d07d

SHA512
04ee2bff2a9ff0cf89150bb73f0f6a0bda372a245f12c5772b7167821f54f3d1d43292e3ce3c9f2eca2202688c179d5f09248c0fe522bf028c221e07b2d34e4a

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\Siticone.UI.dll
Filesize
771KB

MD5
fa842ffa299c794e57597aae857d9cb3

SHA1
154afdfd9bd80c1b512f516a8c187c6dd849161e

SHA256
b1d4cdc7891d51636c5e82a91b9bf20e6bb6e68ddf515ac6f51fbda7b199d07d

SHA512
04ee2bff2a9ff0cf89150bb73f0f6a0bda372a245f12c5772b7167821f54f3d1d43292e3ce3c9f2eca2202688c179d5f09248c0fe522bf028c221e07b2d34e4a

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\Siticone.UI.dll
Filesize
771KB

MD5
fa842ffa299c794e57597aae857d9cb3

SHA1
154afdfd9bd80c1b512f516a8c187c6dd849161e

SHA256
b1d4cdc7891d51636c5e82a91b9bf20e6bb6e68ddf515ac6f51fbda7b199d07d

SHA512
04ee2bff2a9ff0cf89150bb73f0f6a0bda372a245f12c5772b7167821f54f3d1d43292e3ce3c9f2eca2202688c179d5f09248c0fe522bf028c221e07b2d34e4a

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\WeAreDevs_API.dll
Filesize
605KB

MD5
f263efb1b579cc33a0f1024c2a18d03b

SHA1
e9dc916b6d4606ba47e30787387dcfd490bafc56

SHA256
f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963

SHA512
09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\WeAreDevs_API.dll
Filesize
605KB

MD5
f263efb1b579cc33a0f1024c2a18d03b

SHA1
e9dc916b6d4606ba47e30787387dcfd490bafc56

SHA256
f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963

SHA512
09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\WeAreDevs_API.dll
Filesize
605KB

MD5
f263efb1b579cc33a0f1024c2a18d03b

SHA1
e9dc916b6d4606ba47e30787387dcfd490bafc56

SHA256
f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963

SHA512
09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\lightweightNeoblox.exe
Filesize
648KB

MD5
4782a37280ce6470b75a70249fb01e43

SHA1
e2ca34d92ad6f5a457cacb7a9b38c98224c1d443

SHA256
b3006117448f54ba62744bc62972b4af1569b18bffa2360764f328aa1c3ec96b

SHA512
e7f1c85e6fc4ede7a35e52e7680aeea957d6b1860702ab935f35612856cbcfb48f7c3dd012b296d5ed7966e1aec93a75c5c33ba653515d2fc8d4a27a689fc6e2

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\lightweightNeoblox.exe
Filesize
648KB

MD5
4782a37280ce6470b75a70249fb01e43

SHA1
e2ca34d92ad6f5a457cacb7a9b38c98224c1d443

SHA256
b3006117448f54ba62744bc62972b4af1569b18bffa2360764f328aa1c3ec96b

SHA512
e7f1c85e6fc4ede7a35e52e7680aeea957d6b1860702ab935f35612856cbcfb48f7c3dd012b296d5ed7966e1aec93a75c5c33ba653515d2fc8d4a27a689fc6e2

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\lightweightNeoblox\lightweightNeoblox.exe.config
Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
Filesize
323KB

MD5
07c00a89b882adab59d0b2e6eeac3516

SHA1
05ef4e1c48a3d081bb535b979e0e88a242cfdd48

SHA256
719f686324040140c4d8b03c5a35c4036b2a5535f1ee5aaf50ad79f2367126e2

SHA512
6a98ce5df9a7fbeb910bbea419b22794b7b4cde06f19222e55c1a21642a1e7b0036ae95022006de7ce8eabca78773ec07b01ee6e9d6ef6a6d7b62aebf5e15401

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
Filesize
323KB

MD5
07c00a89b882adab59d0b2e6eeac3516

SHA1
05ef4e1c48a3d081bb535b979e0e88a242cfdd48

SHA256
719f686324040140c4d8b03c5a35c4036b2a5535f1ee5aaf50ad79f2367126e2

SHA512
6a98ce5df9a7fbeb910bbea419b22794b7b4cde06f19222e55c1a21642a1e7b0036ae95022006de7ce8eabca78773ec07b01ee6e9d6ef6a6d7b62aebf5e15401

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
Filesize
323KB

MD5
07c00a89b882adab59d0b2e6eeac3516

SHA1
05ef4e1c48a3d081bb535b979e0e88a242cfdd48

SHA256
719f686324040140c4d8b03c5a35c4036b2a5535f1ee5aaf50ad79f2367126e2

SHA512
6a98ce5df9a7fbeb910bbea419b22794b7b4cde06f19222e55c1a21642a1e7b0036ae95022006de7ce8eabca78773ec07b01ee6e9d6ef6a6d7b62aebf5e15401

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe
Filesize
323KB

MD5
07c00a89b882adab59d0b2e6eeac3516

SHA1
05ef4e1c48a3d081bb535b979e0e88a242cfdd48

SHA256
719f686324040140c4d8b03c5a35c4036b2a5535f1ee5aaf50ad79f2367126e2

SHA512
6a98ce5df9a7fbeb910bbea419b22794b7b4cde06f19222e55c1a21642a1e7b0036ae95022006de7ce8eabca78773ec07b01ee6e9d6ef6a6d7b62aebf5e15401

Download Submit
C:\Users\Admin\Downloads\Neoblox_Bootstrapper\neobloxBootstrapper.exe.config
Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
940B

MD5
20cd02675ed69d44c3a278a9481ef859

SHA1
8179b531f2a698c8dd30f28f7a6588a219f26486

SHA256
365a04042fcdc8bed815654cb53897cfc10ce4348bbefd530f72034856942cdd

SHA512
fccc227408a71b90f4ae1db60d36ca55ed84b618c3333410f13888550a86a0ed8ab8f1b29ddc5352e64ae3947b3e0b937a446907c424341c190dd98f30418ba9

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
824B

MD5
3688374325b992def12793500307566d

SHA1
4bed0823746a2a8577ab08ac8711b79770e48274

SHA256
2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085

SHA512
59119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
824B

MD5
3688374325b992def12793500307566d

SHA1
4bed0823746a2a8577ab08ac8711b79770e48274

SHA256
2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085

SHA512
59119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508

Download Submit
\??\pipe\crashpad_2276_BODWWKOAKXQRCTOJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/864-184-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/864-183-0x000000000CE10000-0x000000000CE2A000-memory.dmp

Filesize
104KB

Download
memory/864-185-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/864-182-0x00000000123F0000-0x0000000012B96000-memory.dmp

Filesize
7.6MB

Download
memory/864-177-0x0000000000A20000-0x0000000000B1A000-memory.dmp

Filesize
1000KB

Download
memory/1472-188-0x0000000000000000-mapping.dmp

Download
memory/1768-191-0x0000000000000000-mapping.dmp

Download
memory/1768-192-0x0000000000060000-0x0000000005764000-memory.dmp

Filesize
87.0MB

Download
memory/1768-205-0x0000000000060000-0x0000000005764000-memory.dmp

Filesize
87.0MB

Download
memory/2388-190-0x0000000000000000-mapping.dmp

Download
memory/3068-145-0x0000000000EE0000-0x0000000000F88000-memory.dmp

Filesize
672KB

Download
memory/3068-146-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/3068-151-0x0000000005930000-0x00000000059CE000-memory.dmp

Filesize
632KB

Download
memory/3068-147-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/3068-164-0x00000000066A0000-0x0000000006768000-memory.dmp

Filesize
800KB

Download
memory/3068-168-0x00000000068D0000-0x0000000006A24000-memory.dmp

Filesize
1.3MB

Download
memory/3068-155-0x0000000006490000-0x00000000065CE000-memory.dmp

Filesize
1.2MB

Download
memory/3068-159-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/3068-160-0x0000000005E30000-0x0000000005E3A000-memory.dmp

Filesize
40KB

Download
memory/3428-195-0x0000000000060000-0x0000000000153000-memory.dmp

Filesize
972KB

Download
memory/3428-202-0x0000000000060000-0x0000000000153000-memory.dmp

Filesize
972KB

Download
memory/3428-203-0x00000000018C0000-0x0000000002174000-memory.dmp

Filesize
8.7MB

Download
memory/3616-189-0x0000000000000000-mapping.dmp

Download
memory/3840-187-0x0000000000000000-mapping.dmp

Download
memory/4172-141-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

Filesize
72KB

Download
memory/4436-137-0x00000000008A0000-0x00000000008F6000-memory.dmp

Filesize
344KB

Download
memory/4436-138-0x0000000002C00000-0x0000000002C0A000-memory.dmp

Filesize
40KB

Download
memory/4540-186-0x0000000000000000-mapping.dmp

Download