Edit tour

Windows Analysis Report
z65PurchaseOrderNo_0072024_pdf.exe

Overview

General Information

Sample name:	z65PurchaseOrderNo_0072024_pdf.exe
Analysis ID:	1474156
MD5:	89c28f1673d7cbfbfb25b4758f1b388f
SHA1:	c018438f53cead5fc650c0843fd611949e18f9f4
SHA256:	924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Disables the Windows registry editor (regedit)

Initial sample is a PE file and has a suspicious name

Mass process execution to delay analysis

Obfuscated command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

z65PurchaseOrderNo_0072024_pdf.exe (PID: 5656 cmdline: "C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe" MD5: 89C28F1673D7CBFBFB25B4758F1B388F)

cmd.exe (PID: 4284 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6780 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7512 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4076 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5728 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 916 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4412 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6392 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5756 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3592 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1152 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3356 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7068 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4296 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6096 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7180 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7676 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1208 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7480 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3960 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5476 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4832 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6120 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6084 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5728 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7736 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6392 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5756 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3592 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2672 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7564 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1672 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 448 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1616 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2904 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5812 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7976 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6520 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2308 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1776 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4412 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3672 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2736 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3960 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1084 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4832 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 968 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5196 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2404 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4136 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8100 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5400 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1220 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4184 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6980 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5248 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1728 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1616 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1536 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4076 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7920 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7544 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2308 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1776 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

z65PurchaseOrderNo_0072024_pdf.exe (PID: 1652 cmdline: "C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe" MD5: 89C28F1673D7CBFBFB25B4758F1B388F)

reg.exe (PID: 7228 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.15595036120.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000000.00000002.15595036120.000000000069A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000082.00000002.20202093459.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.15596924194.0000000005998000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 5656	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 1652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 1652	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z65PurchaseOrderNo_0072024_pdf.exe

Avira: detected

Found malware configuration

Source: 00000082.00000002.20202093459.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115"}

Multi AV Scanner detection for submitted file

Source: z65PurchaseOrderNo_0072024_pdf.exe	Virustotal: Detection: 36%			Perma Link
Source: z65PurchaseOrderNo_0072024_pdf.exe	ReversingLabs: Detection: 21%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841DCD8 CryptUnprotectData,		130_2_3841DCD8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841DCD0 CryptUnprotectData,		130_2_3841DCD0

Source: z65PurchaseOrderNo_0072024_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49771 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.217.110:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.217.65:443 -> 192.168.11.20:49769 version: TLS 1.2

Source: z65PurchaseOrderNo_0072024_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00406167 FindFirstFileA,FindClose,	130_2_00406167
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	130_2_00405705
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00402688 FindFirstFileA,	130_2_00402688

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 0011FBDFh	130_2_0011F928
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38412C79h	130_2_384129C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38413240h	130_2_38412E28
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38410D0Dh	130_2_38410B30
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38411697h	130_2_38410B30
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	130_2_38410040
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38411AF9h	130_2_38411848
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38411F59h	130_2_38411CA8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38412819h	130_2_38412568
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38413240h	130_2_3841316E
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 384123B9h	130_2_38412108
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then mov esp, ebp	130_2_3841F530
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3841FA6Fh	130_2_3841F7C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847CA53h	130_2_3847C718
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 384702E7h	130_2_38470040
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38471CF7h	130_2_38471A50
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38473707h	130_2_38473460
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847C10Fh	130_2_3847BE68
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38475117h	130_2_38474E70
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 384732AFh	130_2_38473008
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847BCB7h	130_2_3847BA10
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38474CBFh	130_2_38474A18
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847A6D7h	130_2_3847A430
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847C567h	130_2_3847C2C0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	130_2_384774C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847AF87h	130_2_3847ACE0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38470B97h	130_2_384708F0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847AB2Fh	130_2_3847A888
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847073Fh	130_2_38470498
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847214Fh	130_2_38471EA8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847954Fh	130_2_384792A8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	130_2_384774B7
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38473B5Fh	130_2_384738B8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38470FEFh	130_2_38470D48
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 384729FFh	130_2_38472758
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847B408h	130_2_3847B160
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847440Fh	130_2_38474168
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 384725A7h	130_2_38472300
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38473FB7h	130_2_38473D10
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 384799CFh	130_2_38479728
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38474867h	130_2_384745C0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847A27Fh	130_2_38479FD8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847189Fh	130_2_384715F8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38479E27h	130_2_38479B80
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38471447h	130_2_384711A0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 38472E57h	130_2_38472BB0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 4x nop then jmp 3847B85Fh	130_2_3847B5B8

Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49771 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/81.181.60.45 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000036133000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D82000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D66000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E40000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035DC5000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E4B000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E1F000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E13000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E2A000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: z65PurchaseOrderNo_0072024_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: z65PurchaseOrderNo_0072024_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.00000000054B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.00000000054B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/b
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.00000000054F5000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20185302823.0000000007140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.00000000054F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt~
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005539000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005526000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/c
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt&export=download
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt&export=downloadO
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XvwTTDIdfF3EUKgArIw1lyRdoqYisRVt&export=downloadl
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.000000003607E000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000036089000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20203865276.0000000036D51000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.000000003607E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000036089000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.000000003607E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20203865276.0000000036D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/gM
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.000000003607E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/lBOr
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000036089000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20203865276.0000000036D51000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.000000003607E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15593299210.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D82000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E40000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035DC5000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E4B000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E1F000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E13000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E2A000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.60.45
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E40000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035DC5000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E4B000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E1F000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E13000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E2A000.00000004.00000800.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/81.181.60.45$
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orggM
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000036089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554557655.0000000005540000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000003.15554302827.0000000005540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 142.250.217.110:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.217.65:443 -> 192.168.11.20:49769 version: TLS 1.2

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

0_2_004051BA

Source: Conhost.exe

Process created: 107

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: z65PurchaseOrderNo_0072024_pdf.exe
Source: initial sample	Static PE information: Filename: z65PurchaseOrderNo_0072024_pdf.exe

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040322B
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		130_2_0040322B

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_004049F9	0_2_004049F9
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_004064AE	0_2_004064AE
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_004049F9	130_2_004049F9
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_004064AE	130_2_004064AE
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011B148	130_2_0011B148
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011C170	130_2_0011C170
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00116328	130_2_00116328
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011C451	130_2_0011C451
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011B5F0	130_2_0011B5F0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011C731	130_2_0011C731
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011D75C	130_2_0011D75C
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011B8D1	130_2_0011B8D1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_001148CF	130_2_001148CF
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00116950	130_2_00116950
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011BBB1	130_2_0011BBB1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011BE91	130_2_0011BE91
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011B310	130_2_0011B310
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011E324	130_2_0011E324
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00113390	130_2_00113390
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0011F928	130_2_0011F928
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841E910	130_2_3841E910
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384129C8	130_2_384129C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384191E8	130_2_384191E8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38414EE8	130_2_38414EE8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38410B30	130_2_38410B30
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841CF98	130_2_3841CF98
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38410040	130_2_38410040
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38411848	130_2_38411848
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38419408	130_2_38419408
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38410014	130_2_38410014
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38411838	130_2_38411838
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384120F8	130_2_384120F8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38411C98	130_2_38411C98
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38411CA8	130_2_38411CA8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841255A	130_2_3841255A
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38412568	130_2_38412568
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38412108	130_2_38412108
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841EDD9	130_2_3841EDD9
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841EDE8	130_2_3841EDE8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841C5EA	130_2_3841C5EA
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384129B9	130_2_384129B9
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38418A60	130_2_38418A60
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38414ED9	130_2_38414ED9
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38419AD8	130_2_38419AD8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38410B1F	130_2_38410B1F
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841F7C8	130_2_3841F7C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841CF88	130_2_3841CF88
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3841F7B8	130_2_3841F7B8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847F050	130_2_3847F050
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847EA00	130_2_3847EA00
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384752C8	130_2_384752C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847F6A0	130_2_3847F6A0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847DD70	130_2_3847DD70
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847C718	130_2_3847C718
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847D720	130_2_3847D720
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847E3B8	130_2_3847E3B8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847F042	130_2_3847F042
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38471A41	130_2_38471A41
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38477840	130_2_38477840
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38470040	130_2_38470040
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38473452	130_2_38473452
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38471A50	130_2_38471A50
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847BE58	130_2_3847BE58
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38474E62	130_2_38474E62
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38473460	130_2_38473460
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847BE68	130_2_3847BE68
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38474E70	130_2_38474E70
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847A878	130_2_3847A878
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847BA02	130_2_3847BA02
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38474A08	130_2_38474A08
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38473008	130_2_38473008
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847BA10	130_2_3847BA10
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847001A	130_2_3847001A
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38474A18	130_2_38474A18
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847A422	130_2_3847A422
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38477832	130_2_38477832
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847A430	130_2_3847A430
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847C2C0	130_2_3847C2C0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384774C8	130_2_384774C8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847ACDA	130_2_3847ACDA
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847ACE0	130_2_3847ACE0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384708E0	130_2_384708E0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384722F1	130_2_384722F1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384708F0	130_2_384708F0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847A888	130_2_3847A888
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38470488	130_2_38470488
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847F690	130_2_3847F690
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479299	130_2_38479299
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38470498	130_2_38470498
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38471E98	130_2_38471E98
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384738AA	130_2_384738AA
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38471EA8	130_2_38471EA8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384792A8	130_2_384792A8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384774B7	130_2_384774B7
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847C2B0	130_2_3847C2B0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384752B9	130_2_384752B9
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384738B8	130_2_384738B8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38478540	130_2_38478540
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38472749	130_2_38472749
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38470D48	130_2_38470D48
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847B150	130_2_3847B150
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847415A	130_2_3847415A
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38472758	130_2_38472758
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847B160	130_2_3847B160
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847DD60	130_2_3847DD60
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38474168	130_2_38474168
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479B72	130_2_38479B72
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38472300	130_2_38472300
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38473D00	130_2_38473D00
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847D70F	130_2_3847D70F
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847C708	130_2_3847C708
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38473D10	130_2_38473D10
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847691A	130_2_3847691A
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479718	130_2_38479718
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479728	130_2_38479728
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38478531	130_2_38478531
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38470D39	130_2_38470D39
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384769C0	130_2_384769C0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384745C0	130_2_384745C0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479FCA	130_2_38479FCA
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479FD8	130_2_38479FD8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384715E8	130_2_384715E8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847E9F2	130_2_3847E9F2
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384715F8	130_2_384715F8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38472FF8	130_2_38472FF8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38479B80	130_2_38479B80
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38471190	130_2_38471190
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38472BA1	130_2_38472BA1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384711A0	130_2_384711A0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847B5AA	130_2_3847B5AA
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847E3A8	130_2_3847E3A8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_384745B2	130_2_384745B2
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38472BB0	130_2_38472BB0
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_3847B5B8	130_2_3847B5B8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38670040	130_2_38670040
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38670CD8	130_2_38670CD8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38670690	130_2_38670690
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38670CC8	130_2_38670CC8
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_38670680	130_2_38670680

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: String function: 00402A3A appears 52 times

Source: z65PurchaseOrderNo_0072024_pdf.exe

Static PE information: invalid certificate

Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005526000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs z65PurchaseOrderNo_0072024_pdf.exe

Source: z65PurchaseOrderNo_0072024_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@408/13@4/4

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040322B
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		130_2_0040322B

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404486

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_0040205E LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,

0_2_0040205E

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsk5B6C.tmp

Jump to behavior

Source: z65PurchaseOrderNo_0072024_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z65PurchaseOrderNo_0072024_pdf.exe	Virustotal: Detection: 36%
Source: z65PurchaseOrderNo_0072024_pdf.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

File read: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe "C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe "C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe "C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: z65PurchaseOrderNo_0072024_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.15596924194.0000000005998000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.15595036120.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.15595036120.000000000069A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 5656, type: MEMORYSTR

Obfuscated command line found

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_10002D20 push eax; ret	0_2_10002D4E
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_001158C8 pushfd ; retf	130_2_00115A2D
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00115E18 pushad ; retf	130_2_00115E25

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsv5DCF.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsv5DCF.tmp\nsExec.dll			Jump to dropped file

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

API/Special instruction interceptor: Address: 2375BDF

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Memory allocated: 35CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Memory allocated: 37CC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv5DCF.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv5DCF.tmp\nsExec.dll			Jump to dropped file

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

API coverage: 0.4 %

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe TID: 6808	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_00406167 FindFirstFileA,FindClose,	0_2_00406167
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405705
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00406167 FindFirstFileA,FindClose,	130_2_00406167
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	130_2_00405705
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Code function: 130_2_00402688 FindFirstFileA,	130_2_00402688

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Vmwaretrat
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or#C:\windows\System32\vboxservice.exe
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Vmtoolsd
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or)C:\windows\System32\Drivers\VBoxGuest.sys
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or&C:\windows\System32\Drivers\VBoxSF.sys
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.00000000054B8000.00000004.00000020.00020000.00000000.sdmp, z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20184534591.0000000005526000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or*C:\windows\System32\Drivers\vmmousever.dll
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or'C:\windows\System32\Drivers\Vmmouse.sys
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or+C:\windows\System32\Drivers\VMToolsHook.dll
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or)C:\windows\System32\Drivers\VBoxMouse.sys
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Vmwareuser
Source: z65PurchaseOrderNo_0072024_pdf.exe, 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Or#C:\windows\System32\vboxservice.exeNOr

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	API call chain: ExitProcess graph end node			graph_0-4240
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	API call chain: ExitProcess graph end node			graph_0-4405

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_00405542 CreateDirectoryA,GetLastError,GetLastError,LdrInitializeThunk,SetFileSecurityA,GetLastError,

0_2_00405542

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Process created: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe "C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Queries volume information: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040322B

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables the Windows registry editor (regedit)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000082.00000002.20202093459.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 1652, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\z65PurchaseOrderNo_0072024_pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 1652, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000082.00000002.20202093459.0000000035CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000082.00000002.20202093459.0000000035E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z65PurchaseOrderNo_0072024_pdf.exe PID: 1652, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Modify Registry	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	11 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Time Based Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	115 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Time Based Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z65PurchaseOrderNo_0072024_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
z65PurchaseOrderNo_0072024_pdf.exe