Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
720s -
max time network
726s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 20:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://arceusx.com/
Resource
win10v2004-20240802-en
General
-
Target
https://arceusx.com/
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\apk_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\apk_auto_file\shell\Read\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.apk OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\apk_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\apk_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.apk\ = "apk_auto_file" OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4908 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 756 msedge.exe 756 msedge.exe 1776 msedge.exe 1776 msedge.exe 1140 identity_helper.exe 1140 identity_helper.exe 5204 msedge.exe 5204 msedge.exe 5204 msedge.exe 5204 msedge.exe 3480 msedge.exe 3480 msedge.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5924 OpenWith.exe 532 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe 1776 msedge.exe -
Suspicious use of SetWindowsHookEx 58 IoCs
pid Process 6024 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 6128 AcroRd32.exe 5736 AcroRd32.exe 5792 AcroRd32.exe 5792 AcroRd32.exe 5792 AcroRd32.exe 5792 AcroRd32.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe 532 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 3996 1776 msedge.exe 85 PID 1776 wrote to memory of 3996 1776 msedge.exe 85 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 3564 1776 msedge.exe 86 PID 1776 wrote to memory of 756 1776 msedge.exe 87 PID 1776 wrote to memory of 756 1776 msedge.exe 87 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88 PID 1776 wrote to memory of 3584 1776 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://arceusx.com/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bcd146f8,0x7ff8bcd14708,0x7ff8bcd147182⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵PID:560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6196 /prefetch:82⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6352 /prefetch:82⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,6766062869234474172,5180283554456863396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Roblox.Arceus.X.NEO.1.3.9.apk"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5792 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C9FA337CDEC1828467BD0F7103E4B94 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5F198EA780091A52B2F29C8C6244F5A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5F198EA780091A52B2F29C8C6244F5A9 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:4384
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC6D8723168BCC5414B7517FAB6FFF88 --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5004
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC110CC0B909A4EB79D85371D2A617D5 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3084
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4253F6BCDADAA2803B0BD2588103BB48 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4100
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:888
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a4 0x40c1⤵PID:6100
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6024
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3540
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5924 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Roblox.Arceus.X.NEO.1.3.9.apk"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6128 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E79B4B43FF905B0BA759CE2F15EC8B64 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=721B33E453B8FBAA5BBD1582568B00C9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=721B33E453B8FBAA5BBD1582568B00C9 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:5780
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5CAC32ACFA42A7AE424D2C52BEDFC840 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A557C83E196DFC807DC21857B1722592 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5700
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1228B1CA491E4B0A775BB79AE0B5B3B7 --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5220
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6199CFC881C49885EED0278C8D079B24 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6199CFC881C49885EED0278C8D079B24 --renderer-client-id=8 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:3124
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5660
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Roblox.Arceus.X.NEO.1.3.9.apk"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5736
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:532 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Roblox.Arceus.X.NEO.1.3.9.apk2⤵
- Opens file in notepad (likely ransom note)
PID:4908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD57c4a8901907580578b272edfee955331
SHA19a17531bbf1987bc7cf494f111ea8ef28fadd2b1
SHA2562c42d3ea099497918e1cca7740b0c117fef10aabf47df7fa47972d76b1c0798a
SHA512881ee4a15e28ced9b12cada6fbf489f698d1820b23a212e353b7a9f2b91d31463a64c98aa4a5e35e3021e1e1239e770b7a2e0003597e3dcdda275c2c45d4565e
-
Filesize
292B
MD557351ec0f0f9934ead2e97483d3f870c
SHA120268f342528b380a0b912f1c48d75b5e2b4a034
SHA25691a175ed4cc0ed29a3d01b74c56e1a42cf801b0e32219db4fd2a5b47adff613b
SHA51277dc8e15996f2674609ed4851497a6c25927181dff254e3bfdd1f1b7c9528c99ac6cf458ec926eddf5f389a04d867cdc80bc02a8a8dbe998ced9b44dcf798b29
-
Filesize
128KB
MD561b8304e0b5b6e4d3d708bbd8bacdd16
SHA1f81359fc4a1e070c4c4b3dc8f9106960f17fbea0
SHA256482937b8d5e1ca67519b50a7e8fde79b329a0edbaed70de09293dc24c2531fbf
SHA5122a2b48267f6b0678effedaad51bd330dfcfb99cb075ba05a5749c1b325029c9eef5ce2a20b675f5cb215d1f7938c677564eb6a9518a0201c0a11eb73d0879f09
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5b1fc0d8cf2da5163ffecdab7749ac92d
SHA1a4421c1bcf2b5935c627515ac72dcd7042c09d95
SHA25633c55f88a393b7b298e82c20390fd201b9167a58a56b05a99e014be23268ab14
SHA5120c83eb8943793cfe8970723b9a6a393092e8df4e3fa841aceeb6b91cc13273addece78ae429c38ec9be558eb633cf2ddb06b1e5d2aa78c4b08cca4f0d5673390
-
Filesize
240KB
MD54d4396a6d756b9363888d25501ceb016
SHA1c15314ebd246b93eae4264645c0a4554588f1889
SHA2563650550a5da88de7cc1176c4b0c56423a5e56b2584b99603e41174301e60c749
SHA5126e281c918133f46ebc10cb98dc9c3d156e4dc452d0b4e7aa7010984878c809fea9c0ae8e994456d21fbd91e33645422a7d2639ddedaf91cce592490a819a0530
-
Filesize
12KB
MD58ef636b32b9ce6f078d22bd908d008d1
SHA171eadd2fa6433fa4964658232ff172e051aced7f
SHA256d991c976db81d03c15128ee834a7c42d93788db00e37a2ebe0b8ebde77dee0df
SHA51284957cb8db1776ee7aeeb5648c5f3f6e1d664c12390dcd5a1126b63c442023ef317348270181e92aff37de72c12fff5934be7a63848d346daac9ea605a9c6e64
-
Filesize
39KB
MD55faaa78e13841482cf3844a342eb79f7
SHA16ad611f8048dc998a1bceb89821d1def82bd93d3
SHA256f4f5f52c905094d0384c05814517c9ccb07cbbbab498aaeeab4011d7499b2cfe
SHA5125c9b53d29cd4c8c10faa7f1c32a874ab401044b60915a928ddeae883f615700cfd61f5b000540789d659ae5fe1f46b9b94d65b445515b30476a1f07e20d13609
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
20KB
MD5a6ad24daf242e845b5d55268bd5d1f9e
SHA1dfd157ac56810ef2b816480bde8d5557665261e1
SHA2568598c88986c155a9f89ba7a6a426f98fb2a8e6ec1cb3dd06ad75a33c7a9518e9
SHA512c623261c1bea860b09efd48f0b623a39a18e483d6620c3ef03bf993467db0c3ce40905c568ac63be03162916f60a6e3447aa75aeaac1b97387d4cde29f463f57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5e49650dfbe1160e7b248994af59242ad
SHA15ae8ab259514dfb2f277e6088918b26e1c90fc30
SHA2561edf3eee0de86d7f1438e95a98ca1e474a9f33ce564245d12efa4eab94924d53
SHA5127cdc966663682da683b9080f3129738239bec95f8e1aa5b62fcb078c193a5c8f6ff8a462a2ec873249db3f754562aea3742f6426bde1ac20204145443b323a64
-
Filesize
4KB
MD54df34f695217a36545d2bb51e835332e
SHA1ed8e518cd2c308b53a6e26ef81768b5f4bedbffe
SHA25692de13cbf405971b5c6b955c7068246c910da72c8a08a5334324d24dc898575a
SHA512be9ccb2990fcdf5855107199f7b93a27494f6d7b257ff897fee380df11285f5d6d4ac52264d061e97b9617ea53ca01bef102643b9ec094faa3d7bff6b2635a44
-
Filesize
4KB
MD5b1b8228df64402a94d1e30e7ba3dae11
SHA1ae9b9491a9e98cba9ffd99abc7972beb2e8d2a10
SHA2562fc215e434e0b8459d4b377bd3aaec3557f141b62275c044ba871e2098ac877c
SHA512d4b8d51a8023528abc2bc9b104c2fb7ca99a6929087dd0ce467d2c309129705aeb6ff6faa4be4911bac3388bfbf43383969b5e6ec5ce5190026ad1b038ec01a3
-
Filesize
6KB
MD54732e9a98f487d3c50ea595b0c16db9e
SHA199c45d099ffaf107cf415971471baa7b596ce1fd
SHA25675ccb6625a60d18e577bad8616ec0148841462947d3655e10f43c9022711a28e
SHA512f6d5037ca15aea61cb28c81753da7624854c80e6a7f9134318a5e1afb21c9d2a7add48ae026a5e4518144c6936225391220c723c5a541dc930eeb9b4eed3b181
-
Filesize
7KB
MD512f9bbff6f0f5b36af4d8f49a9487f83
SHA1cfabc5d525106bc48a375bb5ad82b5ef580d51ca
SHA2562f759c50445773ec67cc016e782ae136ae620bf9490673cd01442c3d638b791a
SHA512f660e3669744be1e497f7c78110cf43bc27afef1041724654dbb7e19eb4875b1768fb2f3ce89197b94368280be4d35ee45e8230de54f7c7694776cb372fac513
-
Filesize
5KB
MD590d1f41d158f85bf968ff94417822074
SHA181fd006f10c798d99e08a147f6769ee61d6b4251
SHA25669b61583e56b8d874d11156290b015729bb4221e11833230b6d93e88af0bc1e4
SHA512152f2c6f2835020dbd00a0a36d5c05340727265771895620419cbaf6ae06559538c1dbb329c6a6ce4a5b656565c01cb62e25a4b922c407870e84295f0044b334
-
Filesize
7KB
MD5436eeb90384a94a64f47223e743392bd
SHA1e0cc2e5332738026fc282ac5ed6ddeb54fb01366
SHA2562b362f09f1c6789c88c7ec6abe7ec9f811ea6ff916140c6a1b4952ff69657caf
SHA5122399956c9ecc6cadb25bc896b126b0847c9fe73364df49d722a272d072782b3671b4dadd757438707b07f35f65f699da2cfa713abd01b1b1decced20af779be8
-
Filesize
705B
MD53ee16f910ad01f87f18310ec766c2b76
SHA1ad2f06b44e43346a6052a6eb0379b1fcf674ed6b
SHA25628c573892d2d36f3677eaea28ec551608ba046e2c7bc16008fb28af5c18a2b06
SHA5122a3c564211bffd7c7f7027a2447be3efffc3b2c2e780cc0e9c013f1e61388bb36c7f9cf61844c8993c6b5ce1e4bfc245dd6adaeb469709cae1747b4c82100957
-
Filesize
538B
MD5e452087324d5affceca43f2fd69d0e7d
SHA168f01055495287ea92cf45984739bdb911933f75
SHA256c8756386c6442880b0c6a8937ab82e457178f0defd17df948c283af435722258
SHA5127f66f4fd406a65933909301e2f8d54927b114c1de81b76148175f05f121da6aed5d4b63fd9e48e2cf35dc64c15cf76aabbda9862d9a9fd1fee81df82a43ccbe8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f2e9032dd8ed45a61fd77d806b6a23f8
SHA1a0171f27f6741e5e65410eee30572a4d813378cb
SHA256b4cca7c0da636c553f18f713762b23fd04675c3550c30cf0698217c4993556fb
SHA51273d900d0addcefed25e0426ee1cc0f0113ec1b4b0081a7bab3a86eda89ea43b03dc29bc923958d1e873ba086682461e8695d58e548907a3ccc9fae8b58cab9e9
-
Filesize
12KB
MD5533299f72fe707011b1661b882304638
SHA19b2b26de519d1f10c3dbd744bcffb5950c34e031
SHA2561034a620244967504f0b570387c0bd713ee689aaf3630f0cf10f2c77f1d1cd4a
SHA512df9ba2f61432984860860abe7760f301f8de02e664ce21586789ec7791f35eb316d145abdd6a65dd5e6741e02edaf338d2459a07c55d2736db8ef950f0e70a98
-
Filesize
10KB
MD59d2bd5017b44aa52af1ff2010fe5f68d
SHA1e91cd193e22948ba625f25ed3640c7680b1f50e8
SHA256d17a4abc2687de6a0fca3eac2151c6cb41c8189752d6c5fd44e018ce6fc7e27f
SHA512f7c4d4f6bd55240a3de9578bd861687bc0305e94eb7426a23f0afebc3d9ca93941f6e6c6117636fd4e392ca1190253ec9e2a937133b32720d5d670ba306f8281
-
Filesize
23KB
MD502760f70afc1541bcea3a331da64cabc
SHA103fcea3b5ad22ff0bc0f0e7cd9b07db3dc447ed3
SHA2569ebd1d17d34ad3beabec22c386436844041c8c032581f334958bdee9a5d3060d
SHA512b27fdb7aea6e9588550388444ba721ccac670b32fb20d0527e84cfdf334a75f7be4f6052841019249a96b38742f4daaa929f1c11abe51e43bc96afb67af4a61d
-
Filesize
36B
MD55c6b932a79952b4b27833691305e61db
SHA109804db0986a989c2c49cdcea563567fb4c7b1a0
SHA256dee5a5925227b125f4ac6d9b70a277e6ec8494ffc73d1cce9e08cc7a78d6208a
SHA5124faa9585bb10156d5dea3b62d3a3a1bfa92430ba6e1e3381fc4c76c3071c85e53d5cbce0016dba1d1f9ea1b7af37b4a4efbaf4f3106b7d958b6e2e90aa0df059