Loading ...

Play interactive tourEdit tour

Windows Analysis Report Original Shipment Doc Ref 2853801324189923,PDF.exe

Overview

General Information

Sample Name:Original Shipment Doc Ref 2853801324189923,PDF.exe
Analysis ID:502359
MD5:e954c3d029b943b054fceb27e5e24d2d
SHA1:927f6633500965f008ab556a0c1004c095e004ee
SHA256:a0703367806de16bac9c75c016780c0bf3b1d8c21cf7f51b6a47b6a1aba74999
Tags:exeXloader
Infos:

Most interesting Screenshot:

Detection

DBatLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DBatLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Original Shipment Doc Ref 2853801324189923,PDF.exe (PID: 5904 cmdline: 'C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe' MD5: E954C3D029B943B054FCEB27E5E24D2D)
    • Original Shipment Doc Ref 2853801324189923,PDF.exe (PID: 6648 cmdline: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe MD5: E954C3D029B943B054FCEB27E5E24D2D)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Nyedvqj.exe (PID: 6824 cmdline: 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe' MD5: E954C3D029B943B054FCEB27E5E24D2D)
          • Nyedvqj.exe (PID: 4724 cmdline: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe MD5: E954C3D029B943B054FCEB27E5E24D2D)
        • svchost.exe (PID: 1496 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • netsh.exe (PID: 2848 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • cmmon32.exe (PID: 6636 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
  • Nyedvqj.exe (PID: 6664 cmdline: 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe' MD5: E954C3D029B943B054FCEB27E5E24D2D)
    • Nyedvqj.exe (PID: 7128 cmdline: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe MD5: E954C3D029B943B054FCEB27E5E24D2D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lnvietnam.online/epns/"], "decoy": ["mmfaccao.com", "blttsperma.quest", "946abe.net", "indispensablehands.com", "jkformationfrance.com", "phonerepaire.com", "lienquan-trian.com", "youkuti.com", "empowermindbodystudios.com", "seunicapf.com", "fk-link.xyz", "kunai.tech", "difficultbutdoablebrand.com", "ejworkspace.com", "teracorp.biz", "thekids.today", "quintaalentejana.com", "annaviruksham.com", "jshengrong.com", "nsmetalmakina.xyz", "hentainftd.com", "alphabet-chicken-farms.com", "erotikchat.red", "skintipsllc.com", "expressofertachegou.com", "ygraeriotexniki.com", "thesidehustler.net", "visionries.com", "deployinghigh.com", "havana-smile.com", "exclusivegift7.com", "ephraimhomedeals.com", "westquartier.com", "kiingear.com", "officecom-myaccount.com", "lemomentconcept.com", "royalteacherclass.com", "alltart.com", "hustlershandbook.biz", "mxpvlv.biz", "canalcorporate.com", "carcity.toys", "k6tkuwrnjake.biz", "acrobike69.com", "4000518883.com", "katia-magnetisme.com", "shiningproent.com", "ikmbc-b02.com", "thoughtsbig.com", "baba.clinic", "blazestead.com", "12monthmillionairetraining.com", "goodtasteonline.com", "nokushop.com", "teneses.com", "215oldtoby.com", "pampelina.com", "eimzaizmir.com", "newnetteline.com", "discovertexasbeaches.com", "farrukhportfolio.website", "bombers.xyz", "melissacarbonell.group", "5402506.win"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Original Shipment Doc Ref 2853801324189923,PDF.exeSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x79074:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\jqvdeyN.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exeSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x79074:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.321929561.0000000000473000.00000008.00020000.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x8074:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000003.270904610.0000000003C8C000.00000004.00000001.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x79080:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
    Click to see the 104 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
      • 0x15dec:$sqlite3step: 68 34 1C 7B E1
      • 0x15d08:$sqlite3text: 68 38 2A 90 C5
      • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
      • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
      17.1.Nyedvqj.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.1.Nyedvqj.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 40 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Suspect Svchost ActivityShow sources
        Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1496
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe' , CommandLine: 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe, NewProcessName: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe, OriginalFileName: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: 'C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exe' , ProcessId: 6824
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1496
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1496

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lnvietnam.online/epns/"], "decoy": ["mmfaccao.com", "blttsperma.quest", "946abe.net", "indispensablehands.com", "jkformationfrance.com", "phonerepaire.com", "lienquan-trian.com", "youkuti.com", "empowermindbodystudios.com", "seunicapf.com", "fk-link.xyz", "kunai.tech", "difficultbutdoablebrand.com", "ejworkspace.com", "teracorp.biz", "thekids.today", "quintaalentejana.com", "annaviruksham.com", "jshengrong.com", "nsmetalmakina.xyz", "hentainftd.com", "alphabet-chicken-farms.com", "erotikchat.red", "skintipsllc.com", "expressofertachegou.com", "ygraeriotexniki.com", "thesidehustler.net", "visionries.com", "deployinghigh.com", "havana-smile.com", "exclusivegift7.com", "ephraimhomedeals.com", "westquartier.com", "kiingear.com", "officecom-myaccount.com", "lemomentconcept.com", "royalteacherclass.com", "alltart.com", "hustlershandbook.biz", "mxpvlv.biz", "canalcorporate.com", "carcity.toys", "k6tkuwrnjake.biz", "acrobike69.com", "4000518883.com", "katia-magnetisme.com", "shiningproent.com", "ikmbc-b02.com", "thoughtsbig.com", "baba.clinic", "blazestead.com", "12monthmillionairetraining.com", "goodtasteonline.com", "nokushop.com", "teneses.com", "215oldtoby.com", "pampelina.com", "eimzaizmir.com", "newnetteline.com", "discovertexasbeaches.com", "farrukhportfolio.website", "bombers.xyz", "melissacarbonell.group", "5402506.win"]}
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.1.Nyedvqj.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.1.Nyedvqj.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000001.291686637.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.403434949.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.402942283.0000000000590000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.321247558.0000000003D30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.337416597.0000000007387000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.380908074.0000000002B20000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.371020252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.373751532.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.527535096.0000000000BD0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.532932295.0000000003630000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.302136605.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.352491116.0000000007387000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.532637283.0000000003600000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.302308233.0000000003D70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.325589114.0000000003CAC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.321255326.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.337058358.0000000007387000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.368626024.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.402671981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.405522216.0000000000D60000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.291200860.0000000003DAC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.344615854.0000000003DEC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000003.339915553.0000000003E70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.371342896.0000000000430000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.370946797.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.369875714.0000000000690000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000001.339931194.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Original Shipment Doc Ref 2853801324189923,PDF.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\Public\Libraries\Nyedvqj\Nyedvqj.exeAvira: detection malicious, Label: HEUR/AGEN.1103161
        Source: 11.2.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 18.2.Nyedvqj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 17.2.Nyedvqj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 11.1.Original Shipment Doc Ref 2853801324189923,PDF.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 18.1.Nyedvqj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 17.1.Nyedvqj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49731 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.5:49757 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49760 version: TLS 1.2
        Source: Binary string: cmmon32.pdb source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
        Source: Binary string: netsh.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
        Source: Binary string: cmmon32.pdbGCTL source: Nyedvqj.exe, 00000012.00000002.403223771.00000000005DA000.00000004.00000020.sdmp
        Source: Binary string: wntdll.pdbUGP source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.376044686.0000000000B60000.00000040.00000001.sdmp, Nyedvqj.exe, 00000011.00000002.376043225.00000000009B0000.00000040.00000001.sdmp, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
        Source: Binary string: netsh.pdbGCTL source: Original Shipment Doc Ref 2853801324189923,PDF.exe, 0000000B.00000002.372809046.0000000000752000.00000004.00000020.sdmp
        Source: Binary string: wntdll.pdb source: Original Shipment Doc Ref 2853801324189923,PDF.exe, Nyedvqj.exe, Nyedvqj.exe, 00000012.00000002.403702389.0000000000A10000.00000040.00000001.sdmp, svchost.exe, 00000013.00000003.377211927.0000000003100000.00000004.00000001.sdmp, netsh.exe, 00000014.00000002.538070864.000000000395F000.00000040.00000001.sdmp, cmmon32.exe, 00000016.00000002.406881454.0000000004FDF000.00000040.00000001.sdmp
        Source: Binary string: svchost.pdb source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp
        Source: Binary string: svchost.pdbUGP source: Nyedvqj.exe, 00000011.00000002.375953797.0000000000940000.00000040.00020000.sdmp
        Source: C:\Users\user\Desktop\Original Shipment Doc Ref 2853801324189923,PDF.exe