Windows Analysis Report
z1Quotation.scr.exe

Overview

General Information

Sample name: z1Quotation.scr.exe
Analysis ID: 1522580
MD5: 0a648622633dbd21fef151b525657b2c
SHA1: 49a34b496d78054a1b6404dd04d9be60d071ae52
SHA256: 3cc2813b0ce3a69bd64acdbe194fa68e067a150626cf45e665a27836f39ac39d
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Obfuscated command line found
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected BrowsingHistoryView browser history reader tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: telesavers.co.za Virustotal: Detection: 13% Perma Link
Source: http://geoplugin.net/json.gp Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: z1Quotation.scr.exe Virustotal: Detection: 18% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
Machine Learning detection for sample
Source: z1Quotation.scr.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 137_2_00404423

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 140.2.z1Quotation.scr.exe.400000.0.unpack
Uses 32bit PE files
Source: z1Quotation.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 102.65.21.26:443 -> 192.168.11.20:49760 version: TLS 1.2
Source: z1Quotation.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Projects\VS2005\BrowsingHistoryView\Release\BrowsingHistoryView.pdb source: z1Quotation.scr.exe
Source: Binary string: D:\qb\workspace\23788\source\audio_codec\HDAudioDrv\x64\DAudRelease\IntcDAud.pdb source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00405B60 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405B60
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00406731 FindFirstFileA,FindClose, 0_2_00406731
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_004027AF FindFirstFileA, 0_2_004027AF
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040AE51 FindFirstFileW,FindNextFileW, 137_2_0040AE51
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 138_2_00407EF8
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 139_2_00407898
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_004098C4 FindFirstFileW,FindNextFileW, 140_2_004098C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 146_2_00407898
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Temp\hhsvynxt Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49764 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49763 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49761 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49769 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49770 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49767 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49768 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49771 -> 23.106.238.209:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49774 -> 23.106.238.209:2404
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49761 -> 23.106.238.209:2404
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49762 -> 178.237.33.50:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49760 -> 102.65.21.26:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /FrKSUMZ203.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: telesavers.co.zaCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /FrKSUMZ203.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: telesavers.co.zaCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: z1Quotation.scr.exe String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: z1Quotation.scr.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: telesavers.co.za
Source: global traffic DNS traffic detected: DNS query: subddfg.lol
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://OCSP.intel.com/0
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.quovadisglobal.com/qvicag4.crl0
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.quovadisglobal.com/qvrca.crl0
Source: z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007483000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35122151040.0000000007489000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007483000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007487000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121905251.0000000007487000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.00000000073E0000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpB_
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpH_
Source: z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpM
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpV_0
Source: z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpn.net/json.gp
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpo_
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpsg
Source: z1Quotation.scr.exe, z1Quotation.scr.exe, 00000000.00000000.32405926725.000000000040A000.00000008.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000082.00000000.32835780083.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: z1Quotation.scr.exe, 00000000.00000000.32405926725.000000000040A000.00000008.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000082.00000000.32835780083.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.quovadisglobal.com05
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.quovadisglobal.com0O
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.intel.com/crl/IntelCA7B.crl0f
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.intel.com/crt/IntelCA7B.crt0
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trust.quovadisglobal.com/qvicag4.crt0
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trust.quovadisglobal.com/qvrca.crt0
Source: z1Quotation.scr.exe String found in binary or memory: http://www.ebuddy.com
Source: z1Quotation.scr.exe String found in binary or memory: http://www.imvu.com
Source: z1Quotation.scr.exe String found in binary or memory: http://www.nirsoft.net/
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/repository0
Source: z1Quotation.scr.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35989039555.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.00000000073E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/(
Source: z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/)
Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/-4062-986e-6b0fce555694
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/-4062-986e-6b0fce555694s
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/-4062-986e-6b0fce555694sDN
Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/Bo
Source: z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.0000000007415000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/FrKSUMZ203.bin
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binAppData
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236810978.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binI
Source: z1Quotation.scr.exe, 00000082.00000003.33236810978.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binc
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binrasadhlp.dll
Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/Jo
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/Tt
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/bo
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/telesavers.co.za
Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telesavers.co.za/telesavers.co.za5
Source: z1Quotation.scr.exe String found in binary or memory: https://www.google.com
Source: z1Quotation.scr.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown HTTPS traffic detected: 102.65.21.26:443 -> 192.168.11.20:49760 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00405620 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard, 0_2_00405620
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 137_2_0040987A
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 137_2_004098E2
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 138_2_00406DFC
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 138_2_00406E9F
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 139_2_004068B5
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 139_2_004072B5
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_004082FF EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 140_2_004082FF
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00408367 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 140_2_00408367
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 146_2_004068B5
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 146_2_004072B5
Installs a global mouse hook
Source: C:\Windows\SysWOW64\dxdiag.exe Windows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
Too many similar processes found
Source: Conhost.exe Process created: 96

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: z1Quotation.scr.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process Stats: CPU usage > 6%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 137_2_0040DD85
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00401806 NtdllDefWindowProc_W, 137_2_00401806
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_004018C0 NtdllDefWindowProc_W, 137_2_004018C0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004016FD NtdllDefWindowProc_A, 138_2_004016FD
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004017B7 NtdllDefWindowProc_A, 138_2_004017B7
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00402CAC NtdllDefWindowProc_A, 139_2_00402CAC
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00402D66 NtdllDefWindowProc_A, 139_2_00402D66
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00409ED0 NtQuerySystemInformation,NtQuerySystemInformation, 140_2_00409ED0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00409F44 memset,CreateFileW,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,CloseHandle, 140_2_00409F44
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00402CAC NtdllDefWindowProc_A, 146_2_00402CAC
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00402D66 NtdllDefWindowProc_A, 146_2_00402D66
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_004034D1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034D1
Detected potential crypto function
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00406ABA 0_2_00406ABA
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_6D431B28 0_2_6D431B28
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00406E8F 137_2_00406E8F
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044B040 137_2_0044B040
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0043610D 137_2_0043610D
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00447310 137_2_00447310
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044A490 137_2_0044A490
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040755A 137_2_0040755A
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0043C560 137_2_0043C560
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044B610 137_2_0044B610
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044D6C0 137_2_0044D6C0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_004476F0 137_2_004476F0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044B870 137_2_0044B870
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044081D 137_2_0044081D
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00414957 137_2_00414957
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_004079EE 137_2_004079EE
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00407AEB 137_2_00407AEB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044AA80 137_2_0044AA80
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00412AA9 137_2_00412AA9
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00404B74 137_2_00404B74
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00404B03 137_2_00404B03
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044BBD8 137_2_0044BBD8
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00404BE5 137_2_00404BE5
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00404C76 137_2_00404C76
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00415CFE 137_2_00415CFE
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00416D72 137_2_00416D72
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00446D30 137_2_00446D30
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00446D8B 137_2_00446D8B
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00405038 138_2_00405038
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0041208C 138_2_0041208C
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004050A9 138_2_004050A9
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0040511A 138_2_0040511A
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0043C13A 138_2_0043C13A
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004051AB 138_2_004051AB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00449300 138_2_00449300
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0040D322 138_2_0040D322
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0044A4F0 138_2_0044A4F0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0043A5AB 138_2_0043A5AB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00413631 138_2_00413631
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00446690 138_2_00446690
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0044A730 138_2_0044A730
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004398D8 138_2_004398D8
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004498E0 138_2_004498E0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0044A886 138_2_0044A886
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0043DA09 138_2_0043DA09
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00438D5E 138_2_00438D5E
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00449ED0 138_2_00449ED0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0041FE83 138_2_0041FE83
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00430F54 138_2_00430F54
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004050C2 139_2_004050C2
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004014AB 139_2_004014AB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00405133 139_2_00405133
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004051A4 139_2_004051A4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00401246 139_2_00401246
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_0040CA46 139_2_0040CA46
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00405235 139_2_00405235
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004032C8 139_2_004032C8
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004222D9 139_2_004222D9
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00401689 139_2_00401689
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00402F60 139_2_00402F60
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_004079B6 140_2_004079B6
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00415063 140_2_00415063
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0043F014 140_2_0043F014
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0043A3EF 140_2_0043A3EF
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00432671 140_2_00432671
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0043D76D 140_2_0043D76D
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_004217C9 140_2_004217C9
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00413ACB 140_2_00413ACB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0043BC0D 140_2_0043BC0D
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0043AF50 140_2_0043AF50
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004050C2 146_2_004050C2
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004014AB 146_2_004014AB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00405133 146_2_00405133
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004051A4 146_2_004051A4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00401246 146_2_00401246
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_0040CA46 146_2_0040CA46
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00405235 146_2_00405235
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004032C8 146_2_004032C8
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004222D9 146_2_004222D9
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00401689 146_2_00401689
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00402F60 146_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00413DCE appears 48 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00414060 appears 50 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00414A64 appears 78 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00413CE8 appears 58 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00423B2E appears 43 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00413D0C appears 36 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00413D18 appears 42 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: String function: 00416760 appears 69 times
One or more processes crash
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 2348
Sample file is different than original file name gathered from version info
Source: z1Quotation.scr.exe Binary or memory string: OriginalFileName vs z1Quotation.scr.exe
Source: z1Quotation.scr.exe Binary or memory string: OriginalFilename vs z1Quotation.scr.exe
Source: z1Quotation.scr.exe Binary or memory string: OriginalFileName vs z1Quotation.scr.exe
Source: z1Quotation.scr.exe Binary or memory string: OriginalFilename vs z1Quotation.scr.exe
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\mstee.sys
Uses 32bit PE files
Source: z1Quotation.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@410/33@14/3
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 137_2_004182CE
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_004034D1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034D1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 139_2_00410DE1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 146_2_00410DE1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_004048D0 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004048D0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 137_2_00413D4C
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00402178 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk, 0_2_00402178
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 137_2_0040B58D
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-ZLUOGZ
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1412
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Local\Temp\nsx806F.tmp Jump to behavior
Source: z1Quotation.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\z1Quotation.scr.exe System information queried: HandleInformation
Source: C:\Windows\SysWOW64\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z1Quotation.scr.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: z1Quotation.scr.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: z1Quotation.scr.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: z1Quotation.scr.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: z1Quotation.scr.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: z1Quotation.scr.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: z1Quotation.scr.exe Virustotal: Detection: 18%
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File read: C:\Users\user\Desktop\z1Quotation.scr.exe Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 2348
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dxdiagn.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3d12.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wmiclnt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dsound.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: devrtl.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: spinf.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: drvstore.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wifidisplay.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mmdevapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mfplat.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: rtworkq.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mf.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mfcore.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ksuser.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mfperfhelper.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mfsensorgroup.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: comppkgsup.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: windows.media.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: windows.applicationmodel.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dispbroker.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3d12core.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3dscache.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dxilconv.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3d9.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mscat32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3d9.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ddraw.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dciman32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: audioses.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dinput8.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: inputhost.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: hid.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: devenum.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msdmo.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: quartz.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: d3d9.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: iccvid.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: iyuv_32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: iyuv_32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msrle32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msvidc32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msyuv.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msyuv.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: tsbyuv.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msyuv.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: avrt.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: midimap.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: spfileq.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: edgegdi.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\Desktop\z1Quotation.scr.cfg
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: z1Quotation.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Projects\VS2005\BrowsingHistoryView\Release\BrowsingHistoryView.pdb source: z1Quotation.scr.exe
Source: Binary string: D:\qb\workspace\23788\source\audio_codec\HDAudioDrv\x64\DAudRelease\IntcDAud.pdb source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 137.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 138.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 139.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 140.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 144.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 145.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 146.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Unpacked PE file: 140.2.z1Quotation.scr.exe.400000.0.unpack
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.33495375188.0000000006463000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.33493748290.0000000000637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.33493748290.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.33493748290.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1Quotation.scr.exe PID: 2504, type: MEMORYSTR
Obfuscated command line found
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_6D431B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_6D431B28
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044693D push ecx; ret 137_2_0044694D
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044DB70 push eax; ret 137_2_0044DB84
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0044DB70 push eax; ret 137_2_0044DBAC
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00451D54 push eax; ret 137_2_00451D61
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0044B090 push eax; ret 138_2_0044B0A4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_0044B090 push eax; ret 138_2_0044B0CC
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00451D34 push eax; ret 138_2_00451D41
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00444E71 push ecx; ret 138_2_00444E81
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00414060 push eax; ret 139_2_00414074
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00414060 push eax; ret 139_2_0041409C
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00414039 push ecx; ret 139_2_00414049
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_004164EB push 0000006Ah; retf 139_2_004165C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00416553 push 0000006Ah; retf 139_2_004165C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00416555 push 0000006Ah; retf 139_2_004165C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00445240 push eax; ret 140_2_00445254
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00445240 push eax; ret 140_2_0044527C
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0044C670 push esp; retf 140_2_0044C671
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_0044C6B4 push eax; ret 140_2_0044C6C1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00444EA1 push ecx; ret 140_2_00444EB1
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00414060 push eax; ret 146_2_00414074
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00414060 push eax; ret 146_2_0041409C
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00414039 push ecx; ret 146_2_00414049
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_004164EB push 0000006Ah; retf 146_2_004165C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00416553 push 0000006Ah; retf 146_2_004165C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00416555 push 0000006Ah; retf 146_2_004165C4
Drops PE files
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Siskenernes.Mom105 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Overtakes.fly Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Fodterapeut.Bew Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Perichord.str Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Septifragal.fla Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Sesquihydrated12.txt Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Terpe.dat Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines\spirographin.sur Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines\talpatate.luk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 138_2_004047CB
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Mass process execution to delay analysis
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\SysWOW64\dxdiag.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\dxdiag.exe System information queried: FirmwareTableInformation
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\z1Quotation.scr.exe API/Special instruction interceptor: Address: 3556B09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 137_2_0040DD85
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Window / User API: threadDelayed 9897 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\z1Quotation.scr.exe API coverage: 9.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z1Quotation.scr.exe TID: 3672 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe TID: 1992 Thread sleep time: -264000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe TID: 1992 Thread sleep time: -29691000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 03h and CTI: jne 00403A46h 140_2_00403A04
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 02h and CTI: jne 00403A59h 140_2_00403A04
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 04h and CTI: jne 00403A82h 140_2_00403A04
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 05h and CTI: jne 00403A97h 140_2_00403A04
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00405B60 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405B60
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00406731 FindFirstFileA,FindClose, 0_2_00406731
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_004027AF FindFirstFileA, 0_2_004027AF
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040AE51 FindFirstFileW,FindNextFileW, 137_2_0040AE51
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 138_2_00407EF8
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 139_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 139_2_00407898
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 140_2_004098C4 FindFirstFileW,FindNextFileW, 140_2_004098C4
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 146_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 146_2_00407898
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_00418981 memset,GetSystemInfo, 137_2_00418981
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Temp\hhsvynxt Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: z1Quotation.scr.exe, 00000082.00000003.35991202437.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35989039555.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991202437.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: z1Quotation.scr.exe, 00000000.00000002.33494425602.00000000028EE000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000000.00000002.33495375188.0000000004E90000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: hgFs=
Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\z1Quotation.scr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\z1Quotation.scr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\z1Quotation.scr.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\dxdiag.exe Process information queried: ProcessInformation
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_00403F44 SetWindowPos,ShowWindow,GetWindowLongA,ShowWindow,DestroyWindow,SetWindowLongA,GetDlgItem,SendMessageA,IsWindowEnabled,SendMessageA,GetDlgItem,LdrInitializeThunk,GetDlgItem,GetDlgItem,SetClassLongA,LdrInitializeThunk,SendMessageA,LdrInitializeThunk,LdrInitializeThunk,GetDlgItem,ShowWindow,KiUserCallbackDispatcher,EnableWindow,LdrInitializeThunk,GetSystemMenu,EnableMenuItem,SendMessageA,LdrInitializeThunk,SendMessageA,SendMessageA,lstrlenA,SetWindowTextA,DestroyWindow,CreateDialogParamA,GetDlgItem,GetWindowRect,ScreenToClient,SetWindowPos,ShowWindow,DestroyWindow,EndDialog,ShowWindow, 0_2_00403F44
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 137_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_6D431B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_6D431B28
Enables debug privileges
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Section loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro" Jump to behavior
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Process created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm" Jump to behavior
Source: z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968438637.0000000007488000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978936796.0000000007488000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: z1Quotation.scr.exe, 00000082.00000003.35978936796.0000000007488000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988752438.0000000007488000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager"
Source: z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991202437.00000000073F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerO
Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\dxdiag.exe Queries volume information: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\igdlh.cat VolumeInformation
Source: C:\Windows\SysWOW64\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem23.cat VolumeInformation
Source: C:\Windows\SysWOW64\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem24.cat VolumeInformation
Source: C:\Windows\SysWOW64\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.cat VolumeInformation
Source: C:\Windows\SysWOW64\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem15.cat VolumeInformation
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 137_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 137_2_0041881C
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 138_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 138_2_004082CD
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: 0_2_004034D1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034D1
Source: C:\Windows\SysWOW64\dxdiag.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite-wal
Source: C:\Users\user\Desktop\z1Quotation.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite-shm
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: EntryPoint, ESMTPPassword 138_2_004033F0
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 138_2_00402DB3
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 138_2_00402DB3
Yara detected BrowsingHistoryView browser history reader tool
Source: Yara match File source: 140.2.z1Quotation.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 140.2.z1Quotation.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000008C.00000002.36509511110.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\z1Quotation.scr.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-ZLUOGZ Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522580 Sample: z1Quotation.scr.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 55 subddfg.lol 2->55 57 telesavers.co.za 2->57 59 geoplugin.net 2->59 65 Multi AV Scanner detection for domain / URL 2->65 67 Suricata IDS alerts for network traffic 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 6 other signatures 2->71 8 z1Quotation.scr.exe 1 34 2->8         started        12 mstee.sys 2->12         started        14 mskssrv.sys 2->14         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Tries to steal Mail credentials (via file registry) 8->77 79 3 other signatures 8->79 16 z1Quotation.scr.exe 3 15 8->16         started        20 cmd.exe 8->20         started        22 cmd.exe 8->22         started        24 62 other processes 8->24 signatures6 process7 dnsIp8 49 subddfg.lol 23.106.238.209, 2404, 49761, 49763 LEASEWEB-USA-SFO-12US United Kingdom 16->49 51 telesavers.co.za 102.65.21.26, 443, 49760 Web-Africa-Networks-ASZA South Africa 16->51 53 geoplugin.net 178.237.33.50, 49762, 80 ATOM86-ASATOM86NL Netherlands 16->53 61 Detected Remcos RAT 16->61 63 Maps a DLL or memory area into another process 16->63 26 dxdiag.exe 16->26         started        29 z1Quotation.scr.exe 16->29         started        31 z1Quotation.scr.exe 16->31         started        41 6 other processes 16->41 33 Conhost.exe 20->33         started        35 Conhost.exe 22->35         started        37 Conhost.exe 24->37         started        39 Conhost.exe 24->39         started        43 60 other processes 24->43 signatures9 process10 signatures11 81 Query firmware table information (likely to detect VMs) 26->81 83 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 26->83 85 Tries to steal Instant Messenger accounts or passwords 29->85 87 Tries to steal Mail credentials (via file / registry access) 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 41->89
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.106.238.209
 subddfg.lol United Kingdom
7203 LEASEWEB-USA-SFO-12US true
102.65.21.26
 telesavers.co.za South Africa
328453 Web-Africa-Networks-ASZA false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
telesavers.co.za 102.65.21.26 true
geoplugin.net 178.237.33.50 true
subddfg.lol 23.106.238.209 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false unknown
https://telesavers.co.za/FrKSUMZ203.bin true
    		unknown