Windows Analysis Report
Quotation.scr.exe

AV Detection

Source: Quotation.scr.exe	ReversingLabs: Detection: 28%
Source: Quotation.scr.exe	Virustotal: Detection: 48%			Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Compliance

Source: Quotation.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Quotation.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_004059E3 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004059E3
Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_00406598 FindFirstFileA,FindClose,		0_2_00406598
Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_004027AA FindFirstFileA,		0_2_004027AA

Networking

Source: Quotation.scr.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Quotation.scr.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_00405480 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405480

DDoS

Source: Conhost.exe

Process created: 122

System Summary

Source: initial sample

Static PE information: Filename: Quotation.scr.exe

Source: C:\Users\user\Desktop\Quotation.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_0040337D EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040337D

Source: C:\Users\user\Desktop\Quotation.scr.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_00406921		0_2_00406921
Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_73F11B28		0_2_73F11B28

Source: Quotation.scr.exe, 00000000.00000000.2138897540.0000000000437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameabdicere.exe@ vs Quotation.scr.exe
Source: Quotation.scr.exe	Binary or memory string: OriginalFilenameabdicere.exe@ vs Quotation.scr.exe

Source: Quotation.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@400/11@0/0

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_0040337D EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040337D

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_00404730 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404730

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,

0_2_00402173

Source: C:\Users\user\Desktop\Quotation.scr.exe

File created: C:\Users\user\AppData\Roaming\filigraners

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe

File created: C:\Users\user\AppData\Local\Temp\nsgBB08.tmp

Jump to behavior

Source: Quotation.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation.scr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation.scr.exe	ReversingLabs: Detection: 28%
Source: Quotation.scr.exe	Virustotal: Detection: 48%

Source: C:\Users\user\Desktop\Quotation.scr.exe

File read: C:\Users\user\Desktop\Quotation.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation.scr.exe "C:\Users\user\Desktop\Quotation.scr.exe"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Section loaded: textshaping.dll			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Quotation.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Yara match	File source: 00000000.00000002.4583598901.00000000068E3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4582856976.0000000000656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4582856976.000000000066A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4582856976.0000000000681000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.scr.exe PID: 4188, type: MEMORYSTR

Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_73F11B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_73F11B28

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\Quotation.scr.exe	File created: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.scr.exe	File created: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Quotation.scr.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"

Source: C:\Users\user\Desktop\Quotation.scr.exe

RDTSC instruction interceptor: First address: 6C4D5D6 second address: 6C4D5D6 instructions: 0x00000000 rdtsc 0x00000002 cmp bl, dl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F40048800FFh 0x00000008 cmp edi, 3DD574F0h 0x0000000e inc ebp 0x0000000f test cx, ax 0x00000012 inc ebx 0x00000013 rdtsc

Source: C:\Users\user\Desktop\Quotation.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\nsExec.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiBEB3.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.scr.exe TID: 2788

Thread sleep time: -31900s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_004059E3 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004059E3
Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_00406598 FindFirstFileA,FindClose,		0_2_00406598
Source: C:\Users\user\Desktop\Quotation.scr.exe	Code function: 0_2_004027AA FindFirstFileA,		0_2_004027AA

Source: C:\Users\user\Desktop\Quotation.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Quotation.scr.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_73F11B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_73F11B28

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.scr.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Quotation.scr.exe

Code function: 0_2_0040337D EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040337D